|
TryNinja
Legendary
Offline
Activity: 2940
Merit: 7375
|
|
September 28, 2017, 06:09:32 PM |
|
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi); Hey all,
We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix. Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079
|
|
|
|
xIIImaL
Legendary
Offline
Activity: 1372
Merit: 1005
|
|
September 28, 2017, 06:25:06 PM |
|
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi); Hey all,
We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix. Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079Guys are you sure about the issue. I have a friend who is being used this wallet for sometime. I feel fear about this now. Let me clear about thread information to him now. If the issues has been fixed and we can use it else it would not be good like bit.ac
|
|
|
|
Fidemoga
|
|
September 28, 2017, 08:11:35 PM |
|
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2940
Merit: 7375
|
|
September 28, 2017, 08:42:30 PM |
|
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
Read the issue posted on GitHub. "Connecting to these servers shows they are unencrypted without SSL... Does this mean your Android app is making all Electrum requests in plain text?" "[...] So basically opening the Coinomi app is broadcasting all of my Bitcoin addresses in plain text over the network."
And from this reddit post[1]: "This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.
It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC." [1] https://www.reddit.com/r/Bitcoin/comments/72lmql/security_warning_coinomi_wallet_transmits_all/
|
|
|
|
Patatas
Legendary
Offline
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
|
|
September 28, 2017, 08:54:45 PM |
|
Thanks for sharing it around.I went through the issue raised on their GH page and it seems quite relevant.Even their official contributor isn't sure if they are using an SSL.However,I don't think that issue is likely to broadcast your private keys over the network.From the first couple of comments only the public addresses are being broadcasted.Let's see how this turns out. Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
You have to read the issue from the day it was raised,don't just read the comments.Also check the issues those were referenced in that thread.
|
|
|
|
sylance
|
|
September 28, 2017, 10:52:05 PM |
|
Thank you for the heads up... and really thank you for posting in a rational manner. You posted a link, summarized it, and let us decide whether or not we should take action. Refreshing change of pace from the FUD posts we get, "ZOMG! Wallet hacked!!!1 All your BTC scammed!11!!"
|
|
|
|
Kemarit
Legendary
Offline
Activity: 3192
Merit: 1382
Fully Regulated Crypto Casino
|
|
September 28, 2017, 11:34:13 PM |
|
Hey thanks for the heads up. I'm thinking of using Coinomi but this issue should be fix first. I'll just stick with Electrum for the meantime. This guy has a valid point and calling him FUD'ster and schill is inappropriate. He is helping the community not the other way around. Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
For the sake of those members you have reading problems. 1. The guy monitored all network traffic while opening the Coinomi app on his phone. 2. He did a search on the captured packets. 3. It ended matching a packet, which when decoded. 4. Is a electrum communication happening in plain text. 5. Following the full TCP stream from start to finish shows the following decoded messages being sent in plain text 6. Basically opening the Coinomi app is broadcasting all Bitcoin addresses in plain text over the network. 7. Meaning none of which are using SSL. So definitely there are vulnerabilities in their wallet and should be fix ASAP.
|
|
|
|
Reatim
Sr. Member
Offline
Activity: 2940
Merit: 367
⭕ BitList.co
|
|
September 28, 2017, 11:40:35 PM |
|
Ouch, I just installed Coinomi a few days ago and using it now. Thank you for notifying the community. Will move my coins now to a more secured wallet. I hope they treat this as priority otherwise it will ruin their reputation and the way they handled that guy is very unprofessional. As per twitter: We have hundreds of thousands of users reaching out to us, we are unable to respond to every single request right away, esp complex issues
But at least give it a priority otherwise they will lose potential customers.
|
|
|
|
█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ████████▄▄████▄▄░▄ █████▄████▀▀▀▀█░███▄ ███▄███▀████████▀████▄ █░▄███████████████████▄ █░█████████████████████ █░█████████████████████ █░█████████████████████ █░▀███████████████▄▄▀▀ ███▀███▄████████▄███▀ █████▀████▄▄▄▄████▀ ████████▀▀████▀▀ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀BitList▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . REAL-TIME DATA TRACKING CURATED BY THE COMMUNITY . ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀List #kycfree Websites▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ |
|
|
|
jtipt
|
|
September 29, 2017, 03:27:33 AM |
|
Ouch, I just installed Coinomi a few days ago and using it now.
Yeah same here. It seemed like the best mobile wallet to store altcoins. Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
|
|
|
|
pinkflower
|
|
September 29, 2017, 03:50:37 AM |
|
This does not look good. This is the mobile wallet I use and this is what I recommend that everyone use. I know that there will always be vulnerabilities in any software but its the handling of the situation that had me peeved. I hope they fix it and behave more professionally next time.
|
|
|
|
OmegaStarScream (OP)
Staff
Legendary
Offline
Activity: 3584
Merit: 6314
|
|
September 29, 2017, 05:08:35 PM |
|
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
|
|
|
|
maeusi
|
|
September 29, 2017, 08:03:34 PM |
|
If we want to stay mobile, the best would it be then, to generate mind or paper wallets. We could maybe use coinomi only for transfers. Would that be a solution?
|
|
|
|
hahay
Legendary
Offline
Activity: 3570
Merit: 1056
Leading Crypto Sports Betting & Casino Platform
|
|
September 29, 2017, 09:36:30 PM |
|
Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
peter0425
Sr. Member
Offline
Activity: 2758
Merit: 456
CryptopreneurBrainboss managerial service
|
|
September 30, 2017, 03:55:30 AM |
|
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you. I would rather wait for the vulnerability to get fix by Coinomi instead of going to Jaxx which has history of hacks. Of course there is the ever reliable Electrum however, it only supports bitcoin though. Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!
Yes, I have coinomi wallet and I'm pretty disappointed with the way they handle the issues. Although I only hold small amounts of altcoins in my wallet, but still this is a scary one seeing you address transmitted in plain text across the network.
|
|
|
|
jtipt
|
|
September 30, 2017, 04:02:51 AM |
|
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you. Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
|
|
|
|
Maum
|
|
September 30, 2017, 05:47:07 AM |
|
What is so bad on the way, addresses are shown? As long as they son't publish the keys ....
|
|
|
|
Patatas
Legendary
Offline
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
|
|
September 30, 2017, 06:04:03 AM |
|
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
I would not recommend a Desktop wallet built on Electron to anyone.If you know how electron works,their source code is installed on the desktop since it doesn't make any native apps and only runs an instance of a chrome browser on a windows PC.Code security is none,I don't even know how people trust such apps wit their private keys. Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'.
|
|
|
|
jhenfelipe
|
|
September 30, 2017, 03:45:22 PM Last edit: October 01, 2017, 12:02:38 PM by jhenfelipe |
|
Oh I missed this news. Fortunately, the one on reddit is still there because the page on github have been taken down already. I've been using coinomi wallet for months now, tbh I used it yesterday for few transactions. I visited their twitter page and saw that they will be giving their official statement about the issue in few days [ LINK]. I'll wait for that statement first, I hope we could see it soon. Bad move of blocking that person though.
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2940
Merit: 7375
|
|
September 30, 2017, 03:59:52 PM |
|
Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'. Why? AFAIK Jaxx only major issue was the possibility of extraction of the seed that was stored decrypted. But keep in mind that even if that's a major issue, this can only be explored if someone got access to your phone and can break through your lock screen. While Coinomi will transmit all your Bitcoin addresses - not private keys or any critical information that may expose your coins to hackers - without any SSL. While Exodus is still kinda safe. Any wallet may be an "unsafe" if you're not careful with your OS. Even while using Electrum, you may lose your coins if you have a malware on your computer.
|
|
|
|
|