A suspected vulnerability with Coinomi’s multi-asset wallet has recently been causing somewhat of a stir on Reddit. According to reports, Coinomi has refused to take responsibility for the vulnerability and several people have already been affected.
Coinomi wallet vulnerability discovered
Specifically, this affair began to be unraveled as one person – with the username ”Warith77” – posted to Reddit alleging that between $60,000 to $70,000 worth of cryptocurrency had been stolen from his Coinomi wallet.
In the thread, Warith77 recounts how he subsequently conducted extensive due diligence and was able to determine that the issue was caused by Coinomi – or specifically by how Coinomi handles passphrases.
This Reddit thread soon garnered substantial attention, and it turned out that other people had also been adversely affected by the vulnerability.
Worryingly, Warith77 noted that Coinomi had refused to take responsibility for the issue, and that all attempts to solve the matter through private channels had failed. As such, Warith77 took the issue public, and urged others to remove their funds from their Coinomi wallets.
This vulnerability reportedly seems to stem from Coinomi sharing users’ plain text passphrase with a third-party Google server for spell-checking purposes. This means that users’ cryptocurrency wallet passphrases/seeds are being sent from Coinomi to Google’s remote spell-checker API once entered.
As Warith77 puts it:
”So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check.”
Put simply, this means that the plain text seed phrase is stored in log files at Google. This means that they are potentially accessible to any number of employees who have access to the technical back-end of the third-party server. A demo screen capture of approximately how this would work can be viewed here.
Coinomi users should be advised to move their funds ASAP
It should be noted that it is unclear as to why Coinomi performed a spell-check on passphrases to begin with. Moreover, it is unclear whether this is simply a careless blunder by Coinomi or the product of something purposefully fraudulent – although the result is nonetheless that innocent people have lost their funds.
As Warith77 writes, ”[t]he team behind Coinomi are either extremely smart to add such backdoor so that when they get caught they would simply say it was an honest mistake or they are extremely stupid to overlook such security bug.”
Furthermore, Warith77 also stated that he will ”start taking legal actions against the company behind Coinomi if they don’t act and take
This entire affair seems sketchy to say the least, and there is still some uncertainty surrounding it. In the meanwhile, however, Coinomi users should be strongly advised to move their funds to another wallet.
Rasmus Pihl is a writer for Toshi Times by day and an avid follower of the blockchain industry by night. Rasmus holds a Bachelor’s Degree in Marketing from the Gothenburg School of Business, Economics, and Law and runs a Swedish marketing consulting firm. Moreover, when he isn’t writing for Toshi Times, traveling, working or changing the world in some other capacity, Rasmus is more than likely caught up in postgraduate studies.