Coinomi: Vulnerability discovered

[Yaunfitda]

Hello guys,

Looks like someone has found a security flaw on coinomi wallet. So please be careful using it. The person who found it says that it is using non-SSL to broadcast transaction which can be decoded and seen in plain text:

https://www.reddit.com/r/Bitcoin/comments/72lmql/security_warning_coinomi_wallet_transmits_all/

[1714093090]

1714093090

[1714093090]

1714093090

[1714093090]

1714093090

[aplistir]

Thanks for the info.

Luckily this wont endanger your private keys, but it does leak all addresses you have in your wallet.

[HCP]

And potentially other information... remember, no SSL means all your communication to the server is in plaintext... anyone along the network path can inspect the data packets and capture the data.

Coinomi haven't exactly done themselves any favours with the way the whole situation has been handled either

[Kemarit]

There is also another thread discussing about the said vulnerability:

https://bitcointalk.org/index.php?topic=2215088.0

And I put as much detailed as I can regarding it. Even some members just installed it.

And potentially other information... remember, no SSL means all your communication to the server is in plaintext... anyone along the network path can inspect the data packets and capture the data.

Coinomi haven't exactly done themselves any favours with the way the whole situation has been handled either

Yes, we don't want our bitcoin address exposed, and just what I have said, we need this to be fix ASAP. Others might take advantage of this situation. I don't like either how they handled this situation. Let see how things develop.

[jossiel]

Thanks for the ups I'm not updated with these things though I'm not using them I'm also worried about those people who are using coinomi including my friends.

Reading those comments on reddit, I just noticed why coinomi needs to block the person that decodes and saw this vulnerability.

Why they don't want to disclose this thing to their users? they don't want to disappear thousands of their users.

I don't like either how they handled this situation.

Probably they don't want to be embarrassed. 

[Yaunfitda]

It is still unresolved as of today. I'm haven't seen any tweets from them. So its either they totally ignored the issues found or they are fixing it but haven't released it yet because they are testing it. I'm still reluctant to use it until the issue is not solved. Although no reported hacks, there is a possibility that it can happen because its broadcasting in plain text, meaning not secured.

[pooya87]

~ using non-SSL to broadcast transaction which can be decoded and seen in plain text:~

there is absolutely nothing wrong with broadcasting transactions without encryption. in fact i believe no wallet uses any sort of encryption for broadcasting transactions.

this is about everything else that is being communicated, as others said. such as your bitcoin addresses and the block headers you receive from the electrum servers coinomi connects to.

[Coinomi]

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

[jakagintiri]

would it be safe? because I do not know.
I am also a user of the coinomi app