Yeah, that one cool-looking bitcoin wallet being advertised here on bitcointalk? Yeah,
their web wallet sends your mnemonic phrase to their servers, as claimed by Daniel Staudigel.
Not only do they send the mnemonic to the server, they store the mnemonic (or a hash of it, but I’m guessing not) on their servers. This is either stratospherically irresponsible or Lumi is a scam wallet aiming to steal everyone’s funds at some point in the future. I haven’t been able to look into how their mobile wallets work, as I don’t have the time to do it the right way (root a phone, blah blah blah) — though I did verify they are at least using strong SSL to send your money to their servers, so at least the guy sitting next to you in Starbucks can’t steal your money… but that’s a small consolation when you’ve just sent your crown jewels to be stored by some faceless web service with zero transparency (though they have lots of blog posts with nebulous claims of security!)
It’s only a matter of time before the CEO, a rogue employee, or a hacker sweeps through the database and collects every penny of every Lumi wallet user.
Link to medium post:
https://medium.com/@dandisagrees/a0cf1dd70fd0 Lumi wallet official account here:)Yes, our web wallet was not client-side at the time of this so-called "research"
We did store our user's private keys at our servers but did store them strongly encrypted, so the mnemonic was (and is) actually hashed before being stored.
Anyway, we decided that the customer always has the final say, and created a client-side web version.Our new client-side beta is available at
https://lumiwallet.com/about-web-new?utm_medium=bitcointalkGood to know that you do listen up on suggestions which i do really prefer on using up when its client-side rather than entrusting to use it up when keys are being stored on servers.Even its encrypted you cant really remove the doubts.
Just today I read about Lumi Wallet on Cointelegraph. Seems like a user friendly wallet. I was going to try their new collectibles wallet for erc-721 tokens, but after reading this, I'll need to research more before using it.
Research plus feedbacks is all you need.