i just updated yesterday my coinomi desktop wallet ... and like for 3-4 minute the whole coinomi screen with accounts and balance was frozen and in screen appear more than 2,6 million hash and password (i saved all data with the ctrl+c and v function) like
[...]
what you think what was happens? its a bug, what kind of data are this?
Hi pizza50, please open a support ticket at support.coinomi.com explaining in detail what you saw. Explain where exactly did you see that text, how did it appear on the screen, if it was immediately after you ran the updated installer file or when running the app after updating, etc. Please also include a link to the exact file you downloaded and anything else you think is important. The wallet doesn't do anything you described, so most likely you downloaded a fake file from a fake website, or some other software activated as you tried to execute Coinomi. We would love to have a copy if that's the case. But a deeper malware scan and possibly moving your coins to a new recovery phrase using a clean device and subsequent wipe of your computer is recommended.
Do be careful, the first time (when they allegedly sent seeds to Google) they spent loads of time, effort and money to "bury" the guy that uncovered the alleged infractions.
Hi mocacinno, the guy who uncovered the infractions was trying to extort Coinomi from the start, you can read the detailed forensic analysis of the entire thing here:
https://twitter.com/kimionis/status/1131945228506738688
To me, this is really weird, because according to what
Coinomi says, all user data is only on the user's device, and there is an encrypted application data folder where seed/keys are stored. What interests me is where the user's password is stored? According to this, it turns out that it is located on a Coinomi server that sent everything to one user during an update in some crazy bug
Assuming everything is stored locally, then it is impossible for one program to connect to millions of computers and pull all this data - or is it still possible?
Hi Lucius, the password isn't stored anywhere, and definitely not on our servers. Your app password used to encrypt the wallet data. When the app requires the private keys for any operation, it tries to decrypt the local data with the password. If the decryption is successful, it means the password was correct. If the decryption was not successful, it means the password was wrong. The password itself (or hash or any kind of data derived from it) isn't stored anywhere, not even in your computer.
Not that hosting the executable and the checksum on the same page would be secure.. but at least that's something.
Our website hosts the executable and checksum on the same page, but also has a text file that contains the filenames and their respective hashes, which is signed with our lead dev's PGP key. The chain of trust starts with the signed message and PGP key. Once you verify the signature, you will know which are the legit hashes for each file. Finally you can download the file and check that its hash matches the one on the signed message.
