The Timeline of Events
On 22 Feb 2019 we were contacted by Warith Al Maawali via our Support Helpdesk regarding a security vulnerability in our Desktop wallets. We immediately flagged this request as High Priority and we started investigating this issue. The report said that seed phrases were being sent over to Google in plain text due to a built-in spell-check functionality in Desktop wallets and that there was a wallet hacked due to this vulnerability.
Our engineers confirmed that spell-check functionality was indeed enabled for the Desktop wallets only — the mobile apps were not affected by this.
However, unlike what was reported:
- The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient
- The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets
- The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²
Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality³ by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago — which is the same day we were contacted by Warith Al Maawali. All Desktop versions were patched immediately after we received the full disclosure, and we then started further exploring the implications by this issue in order to provide our users with the proper guidance and inform them on the course of action that needed to be taken, if any.
During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatening to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him and couldn’t have been hacked because of Coinomi for a series of reasons:
- Coinomi Team never had access to these seed phrases or funds
- No one else except from Google could read the contents of the encrypted packets that contained the seed phrases
- Google rejected these requests initiated by jxBrowser/Chromium as they were badly formed (didn’t contain a valid Google API key) and never actually processed them
What to do next
If you have been using Coinomi for Android or iOS there is no further action needed on your side; mobile versions were not affected by this.
If you are using Coinomi Desktops and you created a new wallet with your Desktop, again there’s no further action required other than updating your client to the latest (patched) version.
If you are using Coinomi Desktops and you restored an existing wallet into your Desktop wallet we recommend that you create a new wallet and move your funds there after you update your client to the latest (patched) version.
Given the facts above, it’s extremely unlikely that this issue would ever result in loss of funds, however under no circumstances a seed phrase should go online even if this is in encrypted mode and for this we sincerely apologize. Our Support is at your disposal on a 24/7 basis to guide you throughout the process if at any point you need a helping hand.
Conclusion
We have been successfully securing your blockchain assets since 2014 and this isn’t going to change now. We take security very seriously; we hire professional auditors and security experts to review our code and processes, and as a matter of fact these past few weeks we have been attending the details of an audit by KeyLabs.
We’ve had zero reports of hacked Desktop wallets so far other than Warith Al Maawali’s, which however cannot be sustained by the underlying facts — there is still way to investigate the authenticity of his claim and if the funds were indeed stolen it was much more likely due to an infected host rather than Google itself stealing these funds. If the claim is proven to be false we will seek remedies to set things straight and to prevent their reoccurrence.
Just like today, back in 2017 Luke Childs and Jonathan Sterling acted totally irresponsibly by disclosing their findings in public before making sure that we are aware of them (they never opened a ticket with our Support, the only formal way of contacting us back then). This could have set Coinomi users’ funds at risk if their security claims were true. Following the same paradigm, Warith Al Maawali acted equally irresponsible by disclosing this in public before allowing us to sit with Google and make sure that in the unlikely scenario that some seed phrases were captured by Google servers they would be wiped out immediately. Now it’s out of our hands thanks to Warith Al Maawali and Luke Childs who vigorously reproduced the news via their personal accounts. After the dust settles we all need to remember the names of those who chose self-assertion over general public safety and acted irresponsibly.
Going forward it should be noted that we are not negotiating with blackmailers and that we are totally open and transparent with the crypto community which we have been serving day and night for the past 5 years. Security vulnerabilities exist in all kinds of software and it is very important that when disclosed they are disclosed properly. If you are a security researcher and come up with a vulnerability that could affect other users too you must take into account how disclosing this info in public will affect those users, especially in financial applications that deal with people’s money. In other words, don’t be like the researchers mentioned above; be responsible. And just so that we don’t give the wrong impression here, we would like to thank Warith Al Maawali for disclosing his findings with us, Coinomi Desktops are more secure now more than ever thanks to him.
To sum things up: was there an issue with our Desktop wallets? Yes, there was, and it was fixed hours only after it was disclosed to us. Could this issue have resulted in loss of funds?
Practically, no, it couldn't have.
Update #1: You can now read the full Helpdesk correspondence between Warith Al Maawali and our Agents by clicking here.
Update #2: It should be noted that to date Warith Al Maawali has denied all identity verification requests, which is shady to say the least.
Update #3: CipherBlade has since published a forensics report on the story: https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af
¹ Google API HTTPS Response:
² We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly.
³ By default, spell checker is enabled and configured to use English (en-US) language. Chromium engine checks text in all text fields and text areas on the loaded web page and highlights all misspelled words. Chromium supports both custom dictionary and dictionaries for different languages. It downloads the required dictionary locally for the current language automatically. You can also add words to your custom dictionary which is stored in Chromium user’s profile directory. When a text field or text area on the loaded web page receives focus, Chromium’s spell checker functionality automatically checks the text and highlights misspelled words.
