Altcoin News: Coinomi User Lost $70,000 Due to Spelling Check Function
The user of the Bitcointalk forum under the nickname warith (Warith Al Mawali) claims that he lost $60,000 — $70,000 due to the vulnerability of the popular cryptocurrency wallet Coinomi.
In a detailed report, he claims that on February 14 he downloaded and installed the Coinomi application, after which he entered into his interface a code phrase from his main Exodus-based wallet.
“I trusted them because I downloaded the software from their website, the setup file was digitally signed and was mentioned by several reputable websites such as bitcoinwiki.org. I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.” he writes.
On February 22, the user noticed in the Exodus interface that 90% of the assets from his wallet were transferred to various addresses — first Bitcoins, then ETH, ERC20-tokens, LTC, and finally BCH. Only assets that were supported by Exodus but not supported by Coinomi remained in the wallet.
“I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:
Then I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER****** (boom puzzle solved!)”
After that, the user entered a random code phrase in the field to restore the wallet and found that in the form of unencrypted text it was sent to googleapis.com (a domain name owned by Google) to check spelling. As an alternative verification method, the author entered a misspelled word, which, as expected, was underlined in red.
“ So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)
As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!” writes warith.
The Coinomi team has not officially commented on this incident. The author, however, stated that he deleted his comment on his claim on Twitter and gave evasive answers in personal correspondence, adding that he intends to file a claim for the company if they continue to avoid liability.
Later: In a conversation with Trustnodes aCoinomi spokesman said that the problem concerned only the desktop version of the wallet and did not affect users on mobile devices. He also claims that requests to Google were encrypted and incorrect, which is why Google did not process them. Spell checking was carried out locally, the spokesman said, adding that this was an unofficial answer, but an official response would follow. According to him, the problem was fixed 3 days ago.
Author: Marko Vidrih
Image credit Bitcointalk — warith