Hallo zusammen,
bin gerade über den reddit Artikel gestolpert, in welchem ein User behauptet er habe aufgrund einer kritischen Lücke in der Wallet seine Funds verloren.
Was dran ist, weiss ich nicht und will auch keine Panik auslösen, aber man muss solche Vorfälle immer wieder zum Analss nehmen auf die Gefahren von solchen Diensten hinzuweisen.
Das Problem hier konkret ist, dass das Passwort bzw. seeds zwecks Rechschreibprüfung im Klartext an google gesendet wurde. Losgelöst von der Schuldzuweisung, ist das Ergebnis, dass die Funds unwiderruflich verloren sind, sofern die geschichte wahr ist.
To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text!
Technical Analysis
I started going back in time and arranging the events. The only new thing that I did was installing and running Coinomi wallet so my first conclusion was that the unsigned version of the application had a backdoor.
I did further investigation and compared both the unsigned version of the setup file and the signed version. The only difference was they added digital signature to the main executable file and the Java file (the main application).
At that stage I thought that there is probably something suspicious about the application apart from having their main executable unsigned, so I started replicating what I did in a new virtual machine but this time I installed “Fiddler”. A software that allows you to monitor and debug HTTP/HTTPS traffic of all applications running on your machine.
I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:
https://redirector.gvt1.com/edgedl/chrome/dict/en-us-8-0.bdicThen I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER****** (boom puzzle solved!)
The WHOLE passphrase in plain-text is sent to googleapis.com a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:
https://avoid-coinomi.com/files/coinomi_screenshot_1.pngTo verify my findings I have uploaded a video for anyone who wants to test and replicate what I did:
https://avoid-coinomi.com/files/coinomi_http_traffic_video.mp4
