WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings

[Pursuer]

That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

regardless of how OP lost funds or whether he is telling the truth or Coinomi, in the end this has been a very irresponsible design on their side! they are sending the most secretive information of your wallet (which is your seed that is used to generate ALL your private keys) out to a third party server! there is absolutely no reason for a wallet to even have such options in it.
"spell check" should be done locally and versus the fixed 2048 words that the seed is chosen from.

[1715316497]

1715316497

[1715316497]

1715316497

[1715316497]

1715316497

[1715316497]

1715316497

[kumar jabodah]

Coinomi should quickly take action on this issue. This is a huge damage to their company and it may be a result of their customers moving to a more trusted wallet.

I understand your explanation and I'm sad that it happened to you.

[0t3p0t]

Thanks for the warning and awareness bro, and I feel sorry for your life savings that have been lost because of that wallet provider. I already quit using that Coinomi wallet a long time ago because of their bad customer support that I experienced. Losing life savings that you worked hard for it whatever price it is, is no joke I do hope that you will recover from your losses and get more blessing in the future.

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!

This looks really alarming Coinomi should take this kind of vulnerability seriously because the funds of their customers will be in great danger just like what happened to you.

I am a coinomi user ever since but had never experienced something like that though I only have smaller amount of funds compared to OP's compromised value of funds. This issue should be explained and solved immediately by coinomi for their user's safety. This is really alarming as all of our funds might be compromised in just a single passphrase as it supports a lot of coins and tokens but I stored my Bitcoins in Mycelium wallet only Altcoins are placed on my Coinomi wallet.

[bdbabiak77]

I thought the Bitcoinist article about you said they gave you funds eventually and a 'bug-finding' bounty. Is that not true?

[anks]

everyone donate 1 dollar to get his funds back  
65000 people

[peonminer]

I saw that on reddit and didn't talk about it anywhere because as of now, it's just one guy making a claim.
I'm not saying it's false but I'd wait for more information about the whole thing.

Actually OP posted about more than one person having this happen to them and posting about it on reddit

Apparently I'm not the only one who got wiped out check these reddit posts:
https://www.reddit.com/r/COINOMI/comments/av8rp0/was_i_hacked_im_not_sure_what_i_did_wrong_help/
https://www.reddit.com/r/COINOMI/comments/av01oz/coinnomi_hacked/
https://www.reddit.com/r/CryptoCurrency/comments/9cja43/half_my_coins_are_missing_from_verge_electrum/

This proves my analysis but yet the company denies the responsibility.


What I did was I used one of my main wallets passphrase/seed (recovery seed) in Coinomi's wallet and that was my awful mistake! If it was the password that protect the private key (wallet.dat) then the attacker/criminal would not be able to do anything because he must obtain the private key in order to use the password and steal the wallet.

[Baofeng]

This issue is out of the open already:

https://cryptoslate.com/security-consultant-reveals-coinomi-wallet-vulnerability-60000-in-crypto-allegedly-hacked/

Anyways, I have nothing against the OP, so maybe he can shed light to this:

Moreover, Coinomi claims that Maawali would not co-operate unless he was compensated:

“[He] refused to disclose his findings and kept [sic] threatened to take (the matter) public” unless payment of 17 BTC was made to compensate him for the allegedly stolen funds.

[Pon13]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh?? 

[nutildah]

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

[wwzsocki]

I am really sorry for your loss OP and hope you will be able to get your funds back.

Still, don't understand why OP used this same password/seed words for two different wallets?

From what I know rule number one is to use different passwords/seed words always.

If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?

How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.

[Kemarit]

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

Exactly, the way Coinomi treated their customer is not what we expected them to do. Of course how can the guy cooperate with them when he just lost all of his savings from their incompetency. And now their turning tables and blaming the person for being non-cooperated and now they wanted him to be the bad actor here? Not professional @Coinomi.

[DaveF]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh?? 

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave

[jseverson]

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

That would be because giving away money when you don't actually have to is bad business. It's possible that they would have compensated him if things didn't get this ugly, but there's absolutely no way they would give him anywhere near the amount he lost. They would spend a lot less money by simply letting it out on the open and then doing damage control than by fully reimbursing him.

It sucks but this is our current reality. Being your own bank is incredible but it has drawbacks. The only real safe way to store your coins is offline.

[buwaytress]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

You might have seen LoyceV's quote from your official statement. It pretty much sums up how most of us would feel about this. I'm not even concerned about whose fault it is (without fully understanding the evidence) but it concerns me every time someone in this space responds the way you guys did.

You really think as wallet users, we'll say ah, this was "not a bug but a bad config option"?

[Pon13]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh??  

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave

Hi Dave,

My SSL comment is about 2017 incident on their mobile client. They hadn't enable SSL connection resulting in a clear text communication between the client app and the servers. They only thing they had to do back then is to just turn it on in their configuration. Another's user fault eh?

You can do your own research of what i'm talking about.
https://cryptoble.win/2017/09/30/vulnerability-coinomi-devs-retaliate/

On 16 September 2017, Luke Childs had went to Coinomi’s Github to alert them of an issue where Coinomi was connecting to ElectrumX servers in plain text (i.e. without SSL encryption).

Funny fact? their reaction is pretty much similar with today's reaction.
They attacked Luke Childs instead of thanking him and they stated that he spreads FUD while they enabled SSL connection on their mobile app.
Now, where is the suicide emoticon when you need it. 

[vapourminer]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

You really think as wallet users, we'll say ah, this was "not a bug but a bad config option"?

yeah that official response was extremely unprofessional. just based on that alone i will never use a coinomi wallet. 

and they use a plugin? on something that could hold huge amounts of money? and then not even bother to check it and its configuration thoroughly before releasing it? seriously??

[angel55]

What I do not understand is, why Coinomi need to spell check your seed phrase on googleapis.com? Is this done on purpose to blame external factors, when someone within the company used this "backdoor" and get caught?

I have always said that centralized wallet providers and exchanges should never be trusted with your life savings. DO NOT put all your eggs in one basket. <80%+ of my hoard are stored on Cold wallets & Hardware wallets and only 20% are stored on different centralized services for daily access> 

this is what I think happened.  They are using google as someone to blame when they are really just using the backdoor themselves.  I doubt someone from google would be be responsible for this.  I'm not saying its impossible but very unlikely.

[mocacinno]

I am really sorry for your loss OP and hope you will be able to get your funds back.

Still, don't understand why OP used this same password/seed words for two different wallets?

From what I know rule number one is to use different passwords/seed words always.

If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?

How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.

Re-read the OP's post... He had some tokens (probably ERC20 tokens) that were sent to him but were not supported by his exodus wallet. Since he wanted to manipulate these tokens, he had to enter his seed phrase in a compatible wallet that did support these tokens. If he would have created a new seed phrase in coinomi he wouldn't have been able to manipulate the tokens that were sent to an address generated by his exodus wallet.

As for the second part of your question: there are 2048 words in the dictionary... A simple parser looking for a 12 or 24 words phrase consisting of solely words from this dictionary would suffice.

I used coinomi to keep some spending money, but i have moved everything but tBTC and tLTC from coinomi and i'll never use the application again, ever... It's not just the fact that they had a vulnerability, it's the way they behaved afterwards.

[DaveF]

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh??  

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave

Hi Dave,

My SSL comment is about 2017 incident on their mobile client. They hadn't enable SSL connection resulting in a clear text communication between the client app and the servers. They only thing they had to do back then is to just turn it on in their configuration. Another's user fault eh?

You can do your own research of what i'm talking about.
https://cryptoble.win/2017/09/30/vulnerability-coinomi-devs-retaliate/

On 16 September 2017, Luke Childs had went to Coinomi’s Github to alert them of an issue where Coinomi was connecting to ElectrumX servers in plain text (i.e. without SSL encryption).

Funny fact? their reaction is pretty much similar with today's reaction.
They attacked Luke Childs instead of thanking him and they stated that he spreads FUD while they enabled SSL connection on their mobile app.
Now, where is the suicide emoticon when you need it. 

Gotcha, I was only looking at what was going on now, did not even remember the 2017 issue.
 
Some people are saying that the desktop wallet did connect w/o SSL others are saying yes. All I can say is what I saw.

-Dave

[Stanlo]

I think the fault is from your end ,spyware is already on your pc and the moment you type in your passphrase the spyware hijacked your keys ,I'm using coinomi wallet presently with huge funds inside,but the actual real safest way is storing coins offline