Major security issue regarding the Coinomi Wallet has been found by security experts Jonathan Sterling and Luke Childs.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
— Luke Childs (@lukechilds) February 27, 2019
Founded back in 2014, Coinomi is the oldest multi-asset wallet available, with millions of active users. Coinomi is a security-first, multi-asset wallet for both mobile & desktop that provides native support and true ownership for as many as 125 blockchains & 382 tokens — a total of 507 assets.
According to the Reddit post that broke the news, the security professionals say:
“When you enter your seed phrase to recover a new wallet, the Coinomi app makes a request to Google's spellcheck API to spellcheck the seed phrase. Yup, I know. The plain text seed phrase is accessible to Google (although transport uses SSL so it's encrypted over the wire). However, this does mean that if you're using Coinomi your seed phrase is likely sitting in plain text logfiles at Google, accessible to a large number of employees.”
This is why Google has all your keys. Everyone needs a hardware wallet and should never input their private key or mnemonic onto any isolated device.
The credit for this breaking news goes to Warith Al Maawali who found the vulnerability. He's also claimed he's lost about $70k of funds from his wallet and Coinomi is avoiding the question of whether they'll reimburse him. This is why he's now decided to go public.
On his blog post, he writes:
“To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text! They did not take the responsibility of my loss, I gave them more than 24 hours before full disclosure, they fixed the issue without notifying their users and they kept procrastinating like scumbags to buy more time.”
He summed it all up on his website, https://www.avoid-coinomi.com/.
Most users who noticed this vulnerability are shocked by this with many saying that they are going to not use the wallet anymore.