Crypto Wallet Found Stealing Passwords
February 28, 2019 12:19 pm
It was recently discovered that the Coinomi wallet app is sending user passwords to Google’s spellcheck service in the form of clear text. This exposed users’ confidential information and account credentials, compromising their funds through a method known as man-in-the-middle (MitM) attacks. It can be misused by emptying funds from a user’s account.
An Oman based programmer Warith Al Maawali published an angry write-up after having found out that 90 percent of his funds were missing.
Al Maawali said that when the Coinomi wallet is being set up, the passphrase that the user selects is grabbed by the app from the passphrase box and is sent to Google’s Spellcheck API service without consent from the user.
He said that just as any other Chromium-based app, this too comes with various integrated Google-centric features, which also happens to include automatic spell check for all input text boxes.
The problem arises from the fact that Coinomi team did not disable the spell check feature in the UI code for their wallet. This has lead to this situation where user passwords are leaked and exposed via HTTP during the initial setup.
Any person who is capable of intercepting web traffic from the wallet app would be able to see the passphrase easily. This enables hackers the ability to gain access to a user’s wallet via the restore wallet functionality and access all the user’s fund that is stored in the wallet.
Al Maawali does not have proof of the loss of his own funds, though he claims that only the funds that were stored in Coinomi’s wallet were stolen, and it is highly likely that hackers used this loophole to gain access to his account through his exposed passphrase.
“Anyone who is involved in the technology and cryptocurrency knowns that 12 random English words separated by spaces will probably be a passphrase to a cryptocurrency wallet.”
He went ahead to create a dedicated website to describe this issue and the problems that he went through to get Coinomi to acknowledge this vulnerability.
Furthermore, he posted a proof-of-concept video which was later verified and reproduced by Luke Childs, another security researcher, and a cryptocurrency enthusiast.
Luke Childs discovered a similar vulnerability back in 2016 in Coinomi’s Android app that was communicating with backend services by using plaintext HTTP. In both incidents, Coinomi has refused to acknowledge and take responsibility for the issue. Moreover, the company deleted Child’s bug report after going through a heated private discussion.
At the time of writing this news, Coinomi did not respond to comment requests. The company currency offers wallet app for Android, iOS, Mac, Linux, and Windows.
Al Maawali claims that he has lost between $60,000 and $70,000 in various cryptocurrencies. There have been similar complains by users claiming that they lost their Coinomi holdings overnight.