Bitcoin Forum
November 02, 2024, 08:46:06 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: [Warning] About Coinomi  (Read 2143 times)
LTU_btc
Legendary
*
Offline Offline

Activity: 3234
Merit: 1374


Slava Ukraini!


View Profile WWW
September 30, 2017, 10:49:26 PM
 #21

Oh, that's very unprofessional PR. But as I understand, this is only privacy issue and our coins are safe, because only bitcoin adresses, not private keys broadcasted over the network. But it must be fixed.
Coinomi was my favourite wallet for Android, because they support many coins, not like Jaxx or Exodus. I hope this privacy issue will be fixed, because I don't see any good alternatives for Coinomi.

pinkflower
Sr. Member
****
Offline Offline

Activity: 868
Merit: 259



View Profile
October 01, 2017, 02:50:46 AM
 #22

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

No they are putting the Jaxx hack out of context. It could be the person who reported it transferred his own funds to another wallet and claimed he has hacked. In fact the report was questionable because it was made right after the discovery that your Jaxx seeds could be extracted in plain text.

The private keys are not stored in their servers. Please read up on it before you post. Its easy.
cpfreeplz
Legendary
*
Offline Offline

Activity: 966
Merit: 1042


View Profile
October 01, 2017, 03:02:43 AM
 #23

Quote
"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.

It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."

Woah that just blew my mind. I had no idea man-in-the-middle attacks could even happen with bitcoin transactions! Holy crap this is like getting DDOSed right at the wrong moment to screw you over and steal your bitcoins.
HippiePyro
Full Member
***
Offline Offline

Activity: 504
Merit: 107

A non technical guy in a technical world


View Profile
October 01, 2017, 03:05:31 AM
 #24

Well this is not good news. I hope they get it fixed. Coinomi is where my first wallets am from, still have them too
maydna
Hero Member
*****
Offline Offline

Activity: 3108
Merit: 556


Catalog Websites


View Profile
October 01, 2017, 09:17:16 AM
 #25

i hope the dev will fix the problem so we can still using the wallet. its too bad to hear this news because i save the coins into coinomi and thank you for giving this info. i am trying to thinking to move my coins into another wallet if there is not any update from the dev. but i realize there is no guarantee for every wallet that will be 100% secure.

█████████████████████████
████████▀▀████▀▀█▀▀██████
█████▀████▄▄▄▄████████
███▀███▄███████████████
██▀█████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
██▄███████████████▀▀▄▄███
███▄███▀████████▀███▄████
█████▄████▀▀▀▀████▄██████
████████▄▄████▄▄█████████
█████████████████████████
 
 BitList 
█▀▀▀▀











█▄▄▄▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
REAL-TIME DATA TRACKING
CURATED BY THE COMMUNITY

.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀▀█











▄▄▄▄█
 
  List #kycfree Websites   
Coinomi
Newbie
*
Offline Offline

Activity: 52
Merit: 0


View Profile WWW
October 05, 2017, 09:32:50 PM
 #26

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
sylance
Full Member
***
Offline Offline

Activity: 392
Merit: 102



View Profile
October 05, 2017, 11:26:35 PM
 #27

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I don't know if this is an official response, but if it is... great that you've updated to SSL.  However, this has moved way beyond the SSL issue and is more about the response to the potential security issue.  You probably should huddle up as a leadership team and figure out how to recover the disaster your social team created.

DeepOnion    ▬▬  Anonymous and Untraceable  ▬▬    ENJOY YOUR PRIVACY  •  JOIN DEEPONION
▐▐▐▐▐▐▐▐   ANN  Whitepaper  Facebook  Twitter  Telegram  Discord    ▌▌▌▌▌▌▌▌
Get $ONION  (✔Cryptopia  ✔KuCoin)  |  VoteCentral  Register NOW!  |  Download DeepOnion
Coinomi
Newbie
*
Offline Offline

Activity: 52
Merit: 0


View Profile WWW
October 07, 2017, 04:42:46 PM
 #28

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.
Kemarit
Legendary
*
Offline Offline

Activity: 3262
Merit: 1386


View Profile
October 07, 2017, 04:51:14 PM
 #29

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
peter0425
Sr. Member
****
Offline Offline

Activity: 2828
Merit: 458


Vave.com - Crypto Casino


View Profile
October 07, 2017, 04:58:24 PM
Last edit: October 09, 2017, 11:54:42 AM by peter0425
 #30

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
Agreed. Until the issue is fix and has been confirmed by other users I will still not getting you wallet. A lot has been discussed about the issue not only here but it twitter sphere and reddit. A official statement coming from you guys will qualms all fears about your wallet. And please inform as well the individual who have found the vulnerability and let him do another testing run so that there's no doubt that the issues is fix already.

Zocadas
Hero Member
*****
Offline Offline

Activity: 909
Merit: 508


View Profile
October 07, 2017, 08:54:54 PM
 #31

As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
TryNinja
Legendary
*
Offline Offline

Activity: 3010
Merit: 7419


Top Crypto Casino


View Profile WWW
October 08, 2017, 04:50:41 PM
 #32

As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
I don't think so. Doesn't look like Coinomi thinks this is a security issue - just like what happened with Jaxx a few months ago. They even changed the title of the issue from Security Vulnerability: Coinomi transmits all data in plain text to Coinomi transmits all data in plain text.

We never lied, there isn't any security implication associated with your findings. And we haven't ignored you so please stop making this personal. Unless you have something constructive to add to this, this thread will be locked.

If you feel uncomfortable with the way Coinomi inquires the blockchains you may as well use a VPN service (there are several good solutions for Android) until SSL is included in a feature releases.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
TraderInc
Full Member
***
Offline Offline

Activity: 406
Merit: 109


View Profile
December 14, 2017, 02:56:11 PM
 #33

Was this ever resolved ?

just heard about coinomi and was wanting to try it out.
bribed
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
December 14, 2017, 03:05:34 PM
 #34

Oh, good that you made us aware, thanks for that. I was about to set up a wallet, but wont go this route now. Also I dont like this unprofessional behavior, they should be rather thankful to this developer because he made them aware of a security risk. I dont understand some people.
jtipt
Hero Member
*****
Offline Offline

Activity: 1050
Merit: 529



View Profile
December 28, 2017, 03:27:36 AM
 #35

Was this ever resolved ?
Yes I would also like to know if there have been any recent developments on this situation.
TryNinja
Legendary
*
Offline Offline

Activity: 3010
Merit: 7419


Top Crypto Casino


View Profile WWW
December 28, 2017, 04:21:29 AM
 #36

Yes I would also like to know if there have been any recent developments on this situation.
Looks like they fixed it. However they never admitted that this was an issue, so there was no official statement.

Quote from: /u/udyslexiccoder
Coinomi pushed an update to the Google Play Store on 4th October (v1.7.7) which appears to now be using SSL.
https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/do0g5tf/

That's all Coinomi has said about the issue:
Quote from: /u/Coinomi
As we previously stated, we put Coinomi to the test and found that connections to the back-end servers are secured with SSL. There isn't any address leakage anywhere in our app. Thanks.
https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/dnyre14/

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Connemara
Jr. Member
*
Offline Offline

Activity: 61
Merit: 6


View Profile
February 02, 2018, 11:18:52 AM
 #37

Sooooo, as for February 2nd, what's the security status of Coinomi?
Can someone with a better technical knowledge can add sth. to this topic?
Dopert
Full Member
***
Offline Offline

Activity: 350
Merit: 100



View Profile
February 08, 2018, 10:47:48 PM
 #38

The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh
gamerfan
Hero Member
*****
Offline Offline

Activity: 766
Merit: 501


BUY BITCOIN WITH PAYPAL AND CREDIT CARDS


View Profile
February 09, 2018, 09:12:40 PM
 #39

The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh

Coinomi is a light-weight wallet so doesn't need to download the whole blockchain.
Your private key is not stored on their server. Your private keys never leave your device actually.

TryNinja
Legendary
*
Offline Offline

Activity: 3010
Merit: 7419


Top Crypto Casino


View Profile WWW
February 09, 2018, 10:11:29 PM
 #40

are the Coinomi phrases stored on thier server?
No. Your private-keys are generated based on your seed - which only you have. Nothing is ever sent to a server.

Quote
A deterministic wallet is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key.
More: Coinomi is a Hierarchical Deterministic (HD) wallet. What excactly does that mean?

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!