Redditor Claims Theft of $70,000 in Life Savings Due to Critical Coinomi Wallet Bug
Originally published on: CCN
Read the original article
February 27, 2019
According to cryptocurrency investor Warith Al Mawali, he has lost all of his life savings in the tune of $60,000 to $70,000 on Coinomi, a widely utilized crypto wallet on Android.
In a detailed report, Mawali claimed that a critical vulnerability found on the wallet led to the loss of user funds as it compromised the private key of his wallet.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
— Luke Childs (@lukechilds) February 27, 2019
In cryptocurrency, a private key is referred to as the passphrase of a digital asset wallet. If the private key is lost, it cannot be recovered and the fund stored within it is lost permanently.
“My passphrase was compromised and $60K-$70K worth of cryptocurrency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed,” the investor said.
What Went Wrong on the Crypto Wallet?
Coinomi reportedly switched from being an open-source to a closed-source project in 2018.
As such, since last year, the codebase of the wallet had not been shared with the public, disallowing the open-source community from reviewing the codebase and finding potential bugs or vulnerabilities.
The vulnerability that allegedly led to the loss of Mawali’s funds on Coinomi, based on the analysis performed by the investor, is the automatic function of Coinomi’s textbox that runs spellcheck through googleapis.com when the passphrase or private key is entered.
“So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check,” Mawali said, after running Fiddler to monitor and debug all HTTP/HTTPS traffic from Coinomi.
The investor added that whoever gained access to the leaked private key then used it to steal $60,000 to $70,000 worth of cryptocurrencies.
As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price).
Philipp Seifert at imToken, which operates one of the largest Ethereum wallets in the global market, criticized the process in which Coinomi handled the situation.
— Philipp Seifert (@Philiff) February 27, 2019
If the user did lose his life savings through a critical vulnerability, which is yet to be confirmed, Seifert stated that the company should have responded in the fullest extent to help the user.
Mawali claimed that a customer representative at Coinomi said he is eligible for a bounty in discovering the vulnerability but the investor claimed he had not received compensation for the incident.
On February 23, the Coinomi team requested Mawali to provide detailed disclosure of his findings but it remains unclear at this stage whether the conversation between the investor and the company moved forward from that point.
We have replied to your ticket asking for responsible disclosure of your findings and details of your OS. Thank you.
— coinomi (@CoinomiWallet) February 23, 2019
Bad Period For Crypto
The loss of a user’s life savings on Coinomi as a result of an alleged vulnerability comes merely a month after the $150 million QuadrigaCX scandal.
In January, Canada’s biggest cryptocurrency exchange QuadrigaCX claimed that it lost $150 million in crypto as its CEO Gerald Cotten passed away with sole access to the company’s cold wallets.
The incident deteriorated the public image of the cryptocurrency sector, which has been on a decline since the emergence of high-profile hacking attacks such as Coincheck’s $500 million security breach in 2018.
Some companies in the crypto sector in the likes of Coinbase, Gemini, and Gopax have prioritized security and user fund protection since their inception.
However, industry experts generally believe that many cryptocurrency exchanges, wallets, and platforms still have inferior security measures in place.