February 28, 2019 9:41 PM
After patching a bug, the provider claimed the security issue could not have resulted in funds being stolen.
provider Coinomi has to recent claims that the company’s software sends recovery seed phrases to Google’s remote spell checker servers in unencrypted text. According to Coinomi’s Medium post, the spell check requests “returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”
Exchanging a Few Words
Warith Al Maawali created the website after finding the alleged vulnerability in the Coinomi desktop . Like other software wallets, Coinomi uses a 12-word seed phrase in the event a user needs to restore a , forgets their pin, or needs to transfer funds to a new device. On his website, Maawali explains that, while restoring his Coinomi on his desktop, his seed phrases were in “clear plain text” (unencrypted) to googleapis.com, a domain name owned by Google that acts as a spellcheck function. The feature is supposedly meant to make it easier for users to spot typos while entering in their seed phrases.
Maawali posted a of the alleged vulnerability to the avoid-coinomi website. He claimed the bug resulted in $60,000 to $70,000 worth of being stolen from his by “someone from Google’s team” or whoever had access to the Google server. As for how the alleged hacker knew the 12 words were a part of a recovery phrase, Maawali states: “Anyone who is involved in technology and crypto-currency knows that a [sic] 12 random English words separated by spaces will probably be a passphrase to a crypto-currency !”
Maawali alerted Coinomi to the supposed bug via email on February 22. The provider then the conversation that took place between Maawali and Coinomi. In the conversation, Maawali asked that Coinomi “refund the stolen amount of coins or their value in USD and consider it as a ‘bug bounty reward’ … otherwise I have no choice other than reporting this in social media.” Coinomi then asked for a video call to be held for “KYC purposes,” to which Maawali replied: “Tomorrow I am going live with this as well as sending a copy to the authorities I will let the authorities and public deal with you [sic]. All I am asking to get my funds back 65k-70k or 17 in value.” Finally, Coinomi took to Twitter to that the company does not “negotiate with blackmailers.”
Coinomi’s Defense
On February 27, Coinomi posted its official statement on Medium, addressing the vulnerability claim. According to Coinomi, the bug was a result of a “bad configuration option in a plug-in used in Desktop wallets only.” The plug-in enabled the spellcheck function by default, and the team patched the desktop version of their on February 22, the day Maawali first got in contact.
The statement also questions the validity of Maawali’s theft claims, stating that Maawali repeatedly refused to disclose his findings and that the could not have been hacked for three reasons:
“Coinomi Team never had access to these seed phrases or funds. No one else except for Google could read the contents of the encrypted packets that contained the seed phrases. Google rejected these requests … as they were badly formed (didn’t contain a valid Google API key) and never actually processed them.”
The statement notes that, with the patch to desktop wallets, Android and iOS users do not need to take any actions to secure their wallets, while desktop users just need to make sure they have updated to the latest patched version.
Responding to Coinomi’s Response
With Coinomi’s statement claiming outright that this issue could not have resulted in a loss of funds, MyCrypto founder and CEO Taylor Monahan took to Twitter to discuss the kind of language and tone used by Coinomi. In a series of tweets, Monahan criticized Coinomi’s of the claims made against its software and its of bug reporters. Eventually, MyCrypto posted its own on Medium, outlining positive and helpful steps to take in the event of a security incident.
Nicholas Ruggieri studied English with an emphasis in creative writing at the University of Nevada, Reno. When he’s not quoting Vines at anyone who’s willing to listen, you’ll find him listening to too many podcasts, reading too many books, and crocheting too many sweaters for his , RT and Peterman.
ETHNews is committed to its
Like what you read? Follow us on to receive the latest Coinomi, or other wallets and exchanges .
Published at Thu, 28 Feb 2019 22:14:09 +0000
