A critical vulnerability was found in the crypto mobile wallet Coinomi when a user lost $60k-70k of cryptocurrency after he installed the app. According to users, the platform sent plain text seed phrases to Google API for spellchecking.
IT security consultant, Warith Al Maawali, is the person attributed to first discovering the problem. But he made this discovery at the cost of his own crypto, and because of this he made a website avoid-coinomi.com detailing the events and cautioning others to not use the service.
“First of all I admit it was my mistake trusting Coinomi wallet by inserting one of my main wallets (Exodus wallet) passphrase into their application,” Al Maawali wrote on his website.
“I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.”
The consultant went on to explain that their main application, which was installed on February 14 by the user, was not digitally signed, and he alerted the Coinomi team through Twitter about this issue- but he had already entered his passphrase for his Exodus wallet into the non-signed one.
He noticed afterward on February 22nd that “more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around UTC 3:30 AM. Then followed by ETH (including ERC20 tokens), LTC and finally BCH.”
When he began delving deeper into the matter, he found out that the entire passphrase, which was written in plain text, was sent to a third party domain (googleapis.com) for spellchecking purposes.
“As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my USD 60K – USD 70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a cryptocurrency wallet,” u/warith wrote.
He alerted Coinomi of what he discovered, but he did not get the response he was expecting.
“Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation. They kept reminding me (kinda threatening me) of the legal implications if I go public with the information I have and they forgot their legal responsibility for my stolen crypto assets as well as the risk that impacts other users of the wallet.”
The user said he will be taking legal action against Coinomi LTD, should the company not take assume fault for the technical issue that has caused him financial damage. He also received a reward from Coinomi for finding the bug, but he is not satisfied with the response given to him in relation to his lost funds.
Coinomi apparently solved the bug and kept quiet. They have identified the addresses and blacklisted them, and the funds have not been touched since the incident.
This isn’t the first privacy breach Coinomi has experienced. Last year, user addresses were leaked by the wallet in plain-text on opening.