Coinomi Wallet Addresses Vulnerability Concerns

Published at: Feb. 27, 2019

Coinomi Wallet denied recent claims that its software sends wallet recovery seed phrases to Google’s remote spell checker servers in plain (unencrypted) text. The company refuted the claims in an official statement published on Feb. 27.

In the statement, Coinomi claims that, unlike what was reported, the seed phrase transmission was encrypted via SSL (HTTPS), with Google being the only recipient capable of decrypting the message.

Coinomi notes that the phrase was only transmitted if the user chose to restore his wallet and only on the desktop version. Finally, Coinomi states that the spell-check requests sent to Google were not cached or stored, since they were flagged as bad requests by the servers and were not processed further.

The cause of the problem was reportedly a bad configuration in a plug-in software contained in the desktop version of Coinomi wallets.

The company claims that on Feb. 22 Warith Al Maawali created a support request on their board regarding a vulnerability contained in their wallet which, according to Maawali, has led to a wallet being hacked, as he claims on the dedicated website AvoidCoinomi.

Coinomi purportedly flagged the request as high priority and investigated into the matter. The company COO Angelos Leoussis said on the firm’s official Telegram group that the user kept “threatening, swearing, and blackmailing us for insane amounts.”

While a video posted on AvoidCoinomi aims to demonstrate the alleged vulnerability, it appears to show that the option to decrypt HTTPS is selected in the software.

Leoussis shared an alleged copy of the conversation with Maawali with Cointelegraph, where the user suggests that the wallet contains a backdoor and declares:

“You have few hours to return my assets back or I will go public with all the the [sic] evidence against you.”

According to information shared with Cointelegraph, on Feb. 23 Maawali requested the company to refund the allegedly stolen crypto assets or their equivalent in dollars, stating that otherwise he has “no choice other than reporting this in social media.” Still, he did not share the details of his findings, saying that he will wait until the company shows its willingness to refund the allegedly stolen funds.

Per Leoussis , Coinomi responded that the company did not consider this to be a responsible disclosure and asked for details concerning the alleged vulnerability. Maawali seemingly responded to the request by stating that he will not disclose details without assurance of a refund.

On Feb. 26 Coinomi purportedly declared that the company will report the stolen assets to Chainalysis, which will blacklist the funds so no exchange will accept them.

In December 2018, researchers were reportedly able to demonstrate that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue hardware wallets. At the 35C3 Refreshing Memories conference researchers used several different strategies to attempt to compromise the wallets. The Ledger team also claimed that the alleged vulnerabilities discovered in its hardware wallets were not critical.

Tags
Related Posts
Uranium Finance developer suspected of ‘leaking’ information leading to $50M exploit
The $50 million exploit of Uranium Finance, a decentralized finance protocol on Binance Smart Chain, may have been an inside job, according to a member of the project’s development team. The theory was put forward in Uranium Finance’s Telegram channel by a user named “Baymax,” who appears to be listed as an administrator. In a pinned post, Baymax explained that the security flaw leading to the exploit happened just two hours before version 2 of the protocol was launched. The suspicious timing of the exploit narrows down the list of potential perpetrators significantly. Baymax explained: “There are a total of …
Blockchain / April 28, 2021
The internet of trust: Why secure digital identities are crucial to Web 3.0
A French project is building “The Internet of Trust” — and says decentralized identifiers will be a crucial part of Web 3.0. XSL Labs is developing a Secure Digital Identifier (otherwise known as SDI for short) that’s designed to ensure users have full control over their private information. In time, it’s hoped this approach will diminish the power of tech giants such as Facebook and Google. SDI aims to limit the amount of data that is shared about ourselves online, without impeding access to goods and services. The project intends to ensure zero-knowledge proofs are utilized wherever possible, which add …
Blockchain / Feb. 26, 2021
Trident Crypto Fund Data Breach: 266,000 Passwords Stolen
In a major privacy breach, the usernames and passwords of more than a quarter of a million Trident Crypto Fund customers have been stolen and published online. Technical director of cybersecurity firm DeviceLock Ashot Oganesyan told Russian news outlet IZ the database — which contains email addresses, cellphone numbers, encrypted passwords and IP addresses — had been uploaded to various file sharing websites on February 20. Earlier this week, hackers decrypted and published close to 120,000 of the passwords, potentially enabling them to log into affected users’ accounts and access their funds. 10,000 Russians affected Oganesyan said that while attacks …
Blockchain / March 6, 2020
Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques
Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone. The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked …
Blockchain / June 23, 2019
What is a seed phrase and why is it important?
How to keep your seed phrase safe A crypto seed phrase in the wrong hands can do damage, so it is advisable to always ensure it is safe. The following are some tips for ensuring your seed phrase is secure. Never share your seed with anyone else: It’s extremely important that you never reveal your recovery phrase to anyone. Why? Because if someone else finds out your recovery phrase, they will be able to access — and therefore control — your crypto funds. Make a note of it on paper and keep it in a secure location: This is the …
Blockchain / Aug. 27, 2022