Bitcoin Forum
June 16, 2019, 05:51:15 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Coinomi wallet sends your plain text seed phrase to Google  (Read 304 times)
vit05
Hero Member
*****
Offline Offline

Activity: 672
Merit: 523



View Profile
February 27, 2019, 07:36:46 AM
Merited by bones261 (3), ETFbitcoin (2), OgNasty (1), vapourminer (1), NeuroticFish (1), BitMaxz (1), Lucius (1), Wind_FURY (1), TryNinja (1), HCP (1), bitmover (1)
 #1

https://www.reddit.com/r/Bitcoin/comments/av987o/security_vulnerability_coinomi_wallet_sends_your/?utm_source=reddit-android

more info and for those that don't want to click through to twitter:

Demo video: https://streamable.com/keq40

When you enter your seed phrase to recover a new wallet, the Coinomi app makes a request to Google's spellcheck api to spellcheck the seed phrase. Yup, I know. The plain text seed phrase is accessible to Google (although transport uses SSL so it's encrypted over the wire). However this does mean that if you're using Coinomi your seed phrase is likely sitting in plain text logfiles at Google, accessible to a large number of employees.

I'd recommend if you use Coinomi wallet to immediately move all of your funds to a different wallet. I'd suggest something open source and well known or ideally a hardware wallet.

Full credit goes to https://twitter.com/warith2020 for finding the vuln. He's also claimed he's lost about $70k of funds from his wallet and Coinomi are avoiding the question of whether they'll reimburse him. This is why he's now decided to go public.

Read more from him here: https://www.avoid-coinomi.com/



O didn't check, and I do not use coinomi. But it appears to be something serious and stupid.
1560664275
Hero Member
*
Offline Offline

Posts: 1560664275

View Profile Personal Message (Offline)

Ignore
1560664275
Reply with quote  #2

1560664275
Report to moderator
Try The Brand New Ethereum Game
50 Last Players Also Win The Bank
Works On Any iOS/Android Device With Standard Browser
Join Us On Telegram To Get Notified When You Can Win
COLOR PIXELS
AND WIN
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1560664275
Hero Member
*
Offline Offline

Posts: 1560664275

View Profile Personal Message (Offline)

Ignore
1560664275
Reply with quote  #2

1560664275
Report to moderator
Lucius
Legendary
*
Offline Offline

Activity: 1442
Merit: 1217


Fortis Fortuna Adiuvat


View Profile WWW
February 27, 2019, 10:50:51 AM
 #2

vit05, thanks for this information, it is really unbelievable that a company which provide cryptocurrency wallet can allow this kind of security flaw. From provided links we can also see that Coinomi is attempting to cover it up by deleting anything related to this incident.

I read a lot of different opinions on Reddit, some users say that it is not possible that someone in Google reach such data, and also that this is inside job involved some bad employee of Coinomi and Google. Some others say that it was stupid to keep so much money in such wallet, and I agree with that. Imagine that some 60$+ less or more would save all that money, so we can not blame hackers because they exploiting all possible failures, from people and from unsafe technologies.

elda34b
Sr. Member
****
Offline Offline

Activity: 462
Merit: 301


View Profile
February 27, 2019, 11:20:13 AM
 #3

I believe the writer also post this on Bitcoin Discussion sub[1]. Let's hope this can get fixed pretty soon, or better yet, all of people should use open source wallet.

Btw, Coinomi should respond asap and if OP did lost his money, maybe they can delete this tweet too.[1]

[1] https://bitcointalk.org/index.php?topic=5114708
[2] https://twitter.com/CoinomiWallet/status/923339871309180929
bitmover
Hero Member
*****
Offline Offline

Activity: 504
Merit: 745



View Profile
February 27, 2019, 12:30:04 PM
 #4

Thanks for sharing this

I use coinomi for years. I really like that wallet, as it is easy to use and I consider it safe (but I just keep small amounts of money there). Usually I put at the most the value of my smartphone in a mobile wallet.

It's practical and the UI is very good. Easy to set fees , add any token or and most of coins, etc...

I will look for more information about this incident, and I will consider moving my funds somewhere else.

gentlemand
Legendary
*
Offline Offline

Activity: 2030
Merit: 1736


Baby Blue Panties


View Profile
February 27, 2019, 06:20:54 PM
 #5

I use coinomi for years. I really like that wallet, as it is easy to use and I consider it safe (but I just keep small amounts of money there). Usually I put at the most the value of my smartphone in a mobile wallet.

It's one of the few non open source ones out there and this proves why it's a bad idea.

I've got plenty of shitcoins on mine and there probably isn't another place for some of them. I'll stay put and take it like a man when the CEO of Google chooses to enrich himself at my expense.

According to that -  https://twitter.com/RichardHeartWin/status/1100681518199042048 it's a desktop only issue that's now been sorted but I'm sure there are plenty more holes out there.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1666
Merit: 1802

Use SegWit and enjoy lower fees.


View Profile WWW
February 27, 2019, 06:28:28 PM
Merited by vit05 (2)
 #6

FYI, Coinomi made official response regarding this matter at https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b. It doesn't like official statement, especially on this part

Quote
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

Glad i stopped using Coinomi after they decide made their wallet closed-source.

bitmover
Hero Member
*****
Offline Offline

Activity: 504
Merit: 745



View Profile
February 27, 2019, 10:13:31 PM
 #7

It's one of the few non open source ones out there and this proves why it's a bad idea.

This is true

I don't get why those companies insist in making closed source wallets.

I am glad this is a desktop only issue, as I am using it on Mobile. Desktop version is quite new, so this will probably be fixed

Coiner.de
Hero Member
*****
Offline Offline

Activity: 730
Merit: 513



View Profile
February 27, 2019, 10:29:02 PM
 #8

Quote
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

You didn't read the footnote ², did you? It says "We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly."

I would believe that Google logs bad requests until the end of time. I wonder if they will answer.
BuySomeBitcoins
Sr. Member
****
Offline Offline

Activity: 434
Merit: 252



View Profile
February 27, 2019, 10:53:00 PM
 #9

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.
BitMaxz
Legendary
*
Offline Offline

Activity: 1456
Merit: 1185


Beware on fake trezor website from google ads.


View Profile WWW
February 27, 2019, 11:39:42 PM
 #10

Wow didn't realize that they use the Google's spell check API to suggest a word in Coinomi, I thought that they develop it without any 3rd party API's.
This is big discourage for the user's who use Coinomi including me. I'm not holding a big amount but I have few altcoins from the wallet.

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.

I'm sorry for that man the one who lost $70k it's honestly a big amount and I am sure that the big G still monitoring Coinomi user's wallet who holds a large number of funds and sooner it becomes another victim of this.

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.
I agree with this but not for Electrum, it is just a Bitcoin wallet. Coinomi supports many coins and token so hardware wallet is the best for this.

vit05
Hero Member
*****
Offline Offline

Activity: 672
Merit: 523



View Profile
February 28, 2019, 01:05:57 AM
 #11

Coinomi post all the interaction they have with Watih. And called him a blackmail.

https://cdn.coinomi.com/static/images/support/ticket900882_high.jpg

Their Medium post explaining the situation.
https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

If you use Android or iOS app, you do not need to do anything.

But...
Quote
If you are using Coinomi Desktops and you restored an existing wallet into your Desktop wallet we recommend that you create a new wallet and move your funds there after you update your client to the latest (patched) version.
BuySomeBitcoins
Sr. Member
****
Offline Offline

Activity: 434
Merit: 252



View Profile
February 28, 2019, 01:34:54 AM
 #12

Wow didn't realize that they use the Google's spell check API to suggest a word in Coinomi, I thought that they develop it without any 3rd party API's.
This is big discourage for the user's who use Coinomi including me. I'm not holding a big amount but I have few altcoins from the wallet.

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.

I'm sorry for that man the one who lost $70k it's honestly a big amount and I am sure that the big G still monitoring Coinomi user's wallet who holds a large number of funds and sooner it becomes another victim of this.

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.
I agree with this but not for Electrum, it is just a Bitcoin wallet. Coinomi supports many coins and token so hardware wallet is the best for this.

Why would anyone use a wallet supporting shitcoins to store his bitcoins.

Never mix gold with cow dungs, so I do think bitcoin should be stored in a BITCOIN-ONLY wallet.
pooya87
Legendary
*
Offline Offline

Activity: 1666
Merit: 1686



View Profile
February 28, 2019, 03:51:14 AM
 #13

FYI, Coinomi made official response regarding this matter at https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b. It doesn't like official statement, especially on this part

Quote
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

Glad i stopped using Coinomi after they decide made their wallet closed-source.

it doesn't matter what Google API does or doesn't do, they shouldn't have done it in first place!
"spell-check" is pure bullshit, why don't other wallets do it? that doesn't even make sense to do something like that. imagine your Electrum wallet sending your seed to some server to be "checked" Cheesy

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1666
Merit: 1802

Use SegWit and enjoy lower fees.


View Profile WWW
February 28, 2019, 05:27:30 PM
 #14

Quote
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²
They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

You didn't read the footnote ², did you? It says "We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly."

I would believe that Google logs bad requests until the end of time. I wonder if they will answer.

I read the footnote as well, but you missed my point. Since they haven't got response from Google, IMO they should empathize that it's supposed behavior or their assumption, not statement that isn't verified/confirmed yet.

FYI, Coinomi made official response regarding this matter at https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b. It doesn't like official statement, especially on this part
Quote
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²
They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.
Glad i stopped using Coinomi after they decide made their wallet closed-source.
it doesn't matter what Google API does or doesn't do, they shouldn't have done it in first place!
"spell-check" is pure bullshit, why don't other wallets do it? that doesn't even make sense to do something like that. imagine your Electrum wallet sending your seed to some server to be "checked" Cheesy

I agree, additionally since they could create seed phrase, that means their software contains words to create it which could be used to verify seed phrase without external system.

Wind_FURY
Hero Member
*****
Offline Offline

Activity: 1120
Merit: 773


Crypto-Games.net: Multiple coins, multiple games


View Profile
March 01, 2019, 06:23:52 AM
 #15

Hahaha. Sends seeds to Google spell checker API. What could go wrong? Cool

I believe they also had some privacy issues with their mobile wallet, which they handled badly, instead of rewarding the person who found the problem.



▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████
BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉BCH  ◉STRAT  ◉ETH  ◉GAS  ◉LTC  ◉DASH  ◉PPC
     ▄▄██████████████▄▄
  ▄██████████████████████▄        █████
▄██████████████████████████▄      █████
████ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄ ████     ▄██▀
████ █████ ██████ █████ ████    ▄██▀
████ █████ ██████ █████ ████    ██▀
████ █████ ██████ █████ ████    ██
████ ▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀ ████ ▄██████▄
████████████████████████████ ████████
███████▀            ▀███████ ▀██████▀
█████▀                ▀█████
▀██████████████████████████▀
  ▀▀████████████████████▀▀ 
✔️DICE           
✔️BLACKJACK
✔️PLINKO
✔️VIDEO POKER
✔️ROULETTE     
✔️LOTTO
Pmalek
Legendary
*
Offline Offline

Activity: 966
Merit: 1047



View Profile
March 01, 2019, 09:29:32 AM
 #16

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.
I have some coins in a Coinomi Android wallet as well. But I don't keep any Bitcoin there. The problem is that Coinomi was a good choice for storing alts up until this issue was made public. And the question is do some other brands use the same method for seed verification? I guess time will tell.

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
gentlemand
Legendary
*
Offline Offline

Activity: 2030
Merit: 1736


Baby Blue Panties


View Profile
March 01, 2019, 11:15:33 AM
 #17

[ And the question is do some other brands use the same method for seed verification? I guess time will tell.

Most wallets are open source so a hole as gaping as this would be picked up and screeched about rather more rapidly. I'm keeping my shit in there. For the real coins there are plenty of other sound choices.

franckuestein
Staff
Legendary
*
Offline Offline

Activity: 1806
Merit: 1095


Truth will out!


View Profile WWW
March 04, 2019, 05:39:31 PM
 #18

It's one of the few non open source ones out there and this proves why it's a bad idea.

This is true

I don't get why those companies insist in making closed source wallets.

I am glad this is a desktop only issue, as I am using it on Mobile. Desktop version is quite new, so this will probably be fixed

Because despite the existence of open source solutions, unfortunately people keep using and recommending it.

Reasons:
ignorance
questionable ease of use
marketing
few research before importing private keys

joniboini
Hero Member
*****
Offline Offline

Activity: 588
Merit: 1050



View Profile WWW
March 05, 2019, 01:51:23 AM
 #19

I believe they also had some privacy issues with their mobile wallet, which they handled badly, instead of rewarding the person who found the problem.

Luke Childs case right? I still wonder how can Coinomi act like a spoiled child and start to attack him when he tried to help them fix probably one of the most important issues in crypto. Looks like they did it again now. Time to add Coinomi to my shitwallet list.

......
.L I V E C O I N . N E T.
.
..PROFITBOX..
██  █████████████████████████
  █████████▄      ▄██████████
█████████████▄  ▄████████████
    █████████████████████████
  ██████████▀    ▀█ ▀████████
████  █████▀  ▄▄  ▀█  ▀██████
  ████████▀  ▄██▄  ▀█   ▀████
    ██████   ▀██▀   ██   ████
  █████████▄      ▄██████████
██  █████████▄  ▄████████████
  ███████████████████████████
██  █████████████████████████
  █████████████████████▀ ███
█████████████████████▀   ███
    █████████████▀     ████
  █████████████▀   ██    ████
████  █████▀     ██    ████
  ███████▀   ██    ██    ████
    █████    ██    ██    ████
  ███████    ██    ██    ████
██  █████    ██    ██    ████
  ███████████████████████████
.....
Brenny431
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
March 27, 2019, 12:19:05 PM
 #20

You can read Coinomi's Official statement here if you haven't already https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!