The Coinomi cryptocurrency wallet is in trouble (again) for not doing a better job of protecting its users (again). It is starting to sound like a broken record for the company and users need to be wary of storing their Bitcoin and other assets in the app.
According to Warith Al Maawali, who discovered the issue, Coinomi’s wallet will send user passwords in the clear to Google’s spellchecking service. This leads to the possibility of having the accounts compromised and opens the door to man-in-the-middle (MitM) attacks. Not only did Al Maawali discover the problem, he was a victim of it.
The design of the app creates a flaw during the initial configuration of the wallet. A user selects a password, which is recorded by Coinomi and then silently sent to Google’s Spellcheck API. Chromium includes various Google features, including the spellchecker, but this option can be disabled. For some reason, Coinomi decided not to disable it, leading to the passwords being sent via HTTP, not HTTPS, during wallet setup.
Al Maawali has lost a significant amount of crypto out of his wallet and, while he admits he cannot positively attribute it to the bug, asserts that the money was stolen from the wallet due to the flaw. He reportedly has lost as much as $70,000 that was held in several different cryptocurrencies.
Al Maawali posted a proof-of-concept video on the flaw, which was later verified by security researcher Luke Childs. Childs is a crypto enthusiast who has had run-ins with Coinomi in the past. In 2016, he uncovered a bug that allowed the Android version of the wallet to talk to Coinomi’s servers via HTTP and reported it to the company. Coinomi denied the assertion and even got into a heated conversation with Childs about the issue, at one point stating that the lack of security was not a “security concern.” The company eventually pulled Childs’ bug report from its site, possibly in an attempt to cover up the problem.
Coinomi has issued a response through a Medium post and acknowledges that the issue existed, but tried to deflect any responsibility. It stated, “Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago …”
The company asserts that it hires “professional auditors and security experts” to review its code. It would appear that the experts missed a few things.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.