The Coinomi wallet passphrase sends users to a spell check service Google unencrypted, revealing fraudsters access to private information and giving the opportunity to seize the funds of users.
About the problem became known after angry posts on Twitter programmer Warita al Mawali, who discovered the security gap, investigating the mysterious theft of 90% of their funds.
Al Mawali said that during the configuration of the Coinomi wallet, when the user enters a mnemonic phrase (seed), the application Coinomi captures user-entered text data and automatically sends them to the Google Spellcheck API to check the spelling in the clear.
Like any other app based on Chromium, the wallet application is integrated with various features geared toward Google, such as automatic spell checker for all text boxes for user input. It seems that the problem lies in the fact that the Coinomi team did not bother to disable this feature in the UI code of his wallet, which led to a situation where a backup of the phrases of purses of all of their users were leaked via HTTP during the install process and setup wallet.
Anyone who is able to intercept web traffic from the app wallet will be able to see the seed-phrase application of the Coinomi wallet unencrypted. This phrase allows attackers to obtain with the help of restore access to all of the funds held in the user’s wallet.
Although al-Mawali there is no conclusive evidence that this is the way hackers gained access to his data that he claims was stolen, only the funds that were kept in the Coinomi wallet, and so he sees no other way to steal the cryptocurrency than through the access mnemonic phrase Coinomi.
“Anyone involved in technology and cryptocurrency that knows what (…) 12 random English words separated by spaces will probably become a code phrase for cryptocurrency wallet,” said al Mawali.
The researcher created a special web site where it described the problem and the experiment, which he spent trying to get Coinomi to admit vulnerability. He has also published a video with a test of its concept, which was later independently verified and reproduced by Luke Childs, a security researcher.
Coinomi that offer multi-cryptocurrency app for wallets for Android, iOS, Linux, Mac and Windows, has not responded to the request of the affected user with an offer to compensate for the stolen funds. However, the updated version of the application appeared the next day after the treatment of the user.
Al Mawali claims that he lost from 60’000 to 70’000 US dollars in various cryptocurrencies. His version of the theft of funds was confirmed by other messages in the thread Coinomi on the forum Reddit, where users complain that once they woke up and found that all of their wallets Coinomi, was devastated in one night.