software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking.
How Do You Spell ‘Cleaned Out’?
The bug came to light after a user noticed $60k-70k of had disappeared after installing the . The user had entered the passphrase for another into the restore field, to move some unsupported assets. A week later 90% of his main funds were missing, comprising purely the Coinami-supported assets.
Some further investigation, using software to monitor http traffic from running applications, revealed the bombshell. When entering a passphrase in the ‘Restore Wallet’ field, it is sent as plain-text to googleapis.com for spell-checking. You can witness this in the video below:
How Do You Spell ‘WTF’?
In fact, entering any random sentence with a spelling mistake will result in a red-underline once the spellchecker has done its business. But why on earth would a ever need to send the seed (or any other text) to a spellchecker? Spoiler… it wouldn’t.
Apparently the software used to build Coinami has spellchecking enabled as default on any text-field. However, it is easy to disable this, and inexcusable that Coinami did not do this with such sensitive data.
Also worth noting is that the plain-text seed is sent over a secure socket layer. This means it should only be viewable by someone with access to http requests sent to googleapis.com.
HDYS ‘Stay Safe Out There’?
Coinami has apparently ‘quietly’ fixed the problem. But if your seed is already being held in plain text on a Google server somewhere, you might want to move your coins to a different .
The user whose funds were stolen has been awarded a bug-bounty by Coinami, but with their response regarding his funds. For their part, Coinami have identified the addresses where the funds remain untouched since the ‘incident’. These addresses have been blacklisted, so no exchange will deal with them, but the user is demanding a more immediate resolution.
This isn’t the first time that Coinami has faced major privacy issues. Last year, there was an issue whereby the was leaking user addresses in plain-text on opening.
I warned people to stay away from last year after I discovered a major privacy issue where they were leaking all users address in plain text as soon as you open the app.
— Luke Childs (@lukechilds)
Have you used Coinomi? Share your experiences below!
Images courtesy of Shutterstock
Published at Wed, 27 Feb 2019 15:19:12 +0000
