Coinomi wallet sends your plain text seed phrase to Google

[vit05]

https://www.reddit.com/r/Bitcoin/comments/av987o/security_vulnerability_coinomi_wallet_sends_your/?utm_source=reddit-android

more info and for those that don't want to click through to twitter:

Demo video: https://streamable.com/keq40

When you enter your seed phrase to recover a new wallet, the Coinomi app makes a request to Google's spellcheck api to spellcheck the seed phrase. Yup, I know. The plain text seed phrase is accessible to Google (although transport uses SSL so it's encrypted over the wire). However this does mean that if you're using Coinomi your seed phrase is likely sitting in plain text logfiles at Google, accessible to a large number of employees.

I'd recommend if you use Coinomi wallet to immediately move all of your funds to a different wallet. I'd suggest something open source and well known or ideally a hardware wallet.

Full credit goes to https://twitter.com/warith2020 for finding the vuln. He's also claimed he's lost about $70k of funds from his wallet and Coinomi are avoiding the question of whether they'll reimburse him. This is why he's now decided to go public.

Read more from him here: https://www.avoid-coinomi.com/


O didn't check, and I do not use coinomi. But it appears to be something serious and stupid.

[Lucius]

vit05, thanks for this information, it is really unbelievable that a company which provide cryptocurrency wallet can allow this kind of security flaw. From provided links we can also see that Coinomi is attempting to cover it up by deleting anything related to this incident.

I read a lot of different opinions on Reddit, some users say that it is not possible that someone in Google reach such data, and also that this is inside job involved some bad employee of Coinomi and Google. Some others say that it was stupid to keep so much money in such wallet, and I agree with that. Imagine that some 60$+ less or more would save all that money, so we can not blame hackers because they exploiting all possible failures, from people and from unsafe technologies.

[elda34b]

I believe the writer also post this on Bitcoin Discussion sub[1]. Let's hope this can get fixed pretty soon, or better yet, all of people should use open source wallet.

Btw, Coinomi should respond asap and if OP did lost his money, maybe they can delete this tweet too.[1]

[1] https://bitcointalk.org/index.php?topic=5114708
[2] https://twitter.com/CoinomiWallet/status/923339871309180929

[bitmover]

Thanks for sharing this

I use coinomi for years. I really like that wallet, as it is easy to use and I consider it safe (but I just keep small amounts of money there). Usually I put at the most the value of my smartphone in a mobile wallet.

It's practical and the UI is very good. Easy to set fees , add any token or and most of coins, etc...

I will look for more information about this incident, and I will consider moving my funds somewhere else.

[gentlemand]

I use coinomi for years. I really like that wallet, as it is easy to use and I consider it safe (but I just keep small amounts of money there). Usually I put at the most the value of my smartphone in a mobile wallet.

It's one of the few non open source ones out there and this proves why it's a bad idea.

I've got plenty of shitcoins on mine and there probably isn't another place for some of them. I'll stay put and take it like a man when the CEO of Google chooses to enrich himself at my expense.

According to that -  https://twitter.com/RichardHeartWin/status/1100681518199042048 it's a desktop only issue that's now been sorted but I'm sure there are plenty more holes out there.

[ABCbits]

FYI, Coinomi made official response regarding this matter at https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b. It doesn't like official statement, especially on this part

The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

Glad i stopped using Coinomi after they decide made their wallet closed-source.

[bitmover]

It's one of the few non open source ones out there and this proves why it's a bad idea.

This is true

I don't get why those companies insist in making closed source wallets.

I am glad this is a desktop only issue, as I am using it on Mobile. Desktop version is quite new, so this will probably be fixed

[Coiner.de]

The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

You didn't read the footnote ², did you? It says "We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly."

I would believe that Google logs bad requests until the end of time. I wonder if they will answer.

[BuySomeBitcoins]

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.

[BitMaxz]

Wow didn't realize that they use the Google's spell check API to suggest a word in Coinomi, I thought that they develop it without any 3rd party API's.
This is big discourage for the user's who use Coinomi including me. I'm not holding a big amount but I have few altcoins from the wallet.

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.

I'm sorry for that man the one who lost $70k it's honestly a big amount and I am sure that the big G still monitoring Coinomi user's wallet who holds a large number of funds and sooner it becomes another victim of this.

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.

I agree with this but not for Electrum, it is just a Bitcoin wallet. Coinomi supports many coins and token so hardware wallet is the best for this.

[vit05]

Coinomi post all the interaction they have with Watih. And called him a blackmail.

https://cdn.coinomi.com/static/images/support/ticket900882_high.jpg

Their Medium post explaining the situation.
https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

If you use Android or iOS app, you do not need to do anything.

But...

If you are using Coinomi Desktops and you restored an existing wallet into your Desktop wallet we recommend that you create a new wallet and move your funds there after you update your client to the latest (patched) version.

[BuySomeBitcoins]

Wow didn't realize that they use the Google's spell check API to suggest a word in Coinomi, I thought that they develop it without any 3rd party API's.
This is big discourage for the user's who use Coinomi including me. I'm not holding a big amount but I have few altcoins from the wallet.

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.

I'm sorry for that man the one who lost $70k it's honestly a big amount and I am sure that the big G still monitoring Coinomi user's wallet who holds a large number of funds and sooner it becomes another victim of this.

That's why everyone should use a hardware wallet with cable connection ONLY (not bluetooth) and an light client like Electrum.

I agree with this but not for Electrum, it is just a Bitcoin wallet. Coinomi supports many coins and token so hardware wallet is the best for this.

Why would anyone use a wallet supporting shitcoins to store his bitcoins.

Never mix gold with cow dungs, so I do think bitcoin should be stored in a BITCOIN-ONLY wallet.

[pooya87]

FYI, Coinomi made official response regarding this matter at https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b. It doesn't like official statement, especially on this part

The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

They act like they know how Google API works or simply assume Google API discard all bad request even though only Google engineer who knows Google API's behavior. While i doubt it's the reason Warith's coins is stolen, it clearly shows that they're not being professional or try to blame Warith instead.

Glad i stopped using Coinomi after they decide made their wallet closed-source.

it doesn't matter what Google API does or doesn't do, they shouldn't have done it in first place!
"spell-check" is pure bullshit, why don't other wallets do it? that doesn't even make sense to do something like that. imagine your Electrum wallet sending your seed to some server to be "checked"

[Wind_FURY]

Hahaha. Sends seeds to Google spell checker API. What could go wrong?

I believe they also had some privacy issues with their mobile wallet, which they handled badly, instead of rewarding the person who found the problem.

[Pmalek]

So, I think it's time to switch to a new wallet and transfer all funds to better and secured wallet.

I have some coins in a Coinomi Android wallet as well. But I don't keep any Bitcoin there. The problem is that Coinomi was a good choice for storing alts up until this issue was made public. And the question is do some other brands use the same method for seed verification? I guess time will tell.

[gentlemand]

[ And the question is do some other brands use the same method for seed verification? I guess time will tell.

Most wallets are open source so a hole as gaping as this would be picked up and screeched about rather more rapidly. I'm keeping my shit in there. For the real coins there are plenty of other sound choices.

[franckuestein]

It's one of the few non open source ones out there and this proves why it's a bad idea.

This is true

I don't get why those companies insist in making closed source wallets.

I am glad this is a desktop only issue, as I am using it on Mobile. Desktop version is quite new, so this will probably be fixed

Because despite the existence of open source solutions, unfortunately people keep using and recommending it.

Reasons:
ignorance
questionable ease of use
marketing
few research before importing private keys

[joniboini]

I believe they also had some privacy issues with their mobile wallet, which they handled badly, instead of rewarding the person who found the problem.

Luke Childs case right? I still wonder how can Coinomi act like a spoiled child and start to attack him when he tried to help them fix probably one of the most important issues in crypto. Looks like they did it again now. Time to add Coinomi to my shitwallet list.

[Brenny431]

You can read Coinomi's Official statement here if you haven't already https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

[bitmover]

You can read Coinomi's Official statement here if you haven't already https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Lol, I didn't feel any better after reading it

The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets

Of course users will want to restore their wallets. If they restore it's because there are funds at it.