Coinomi user: spelling check results in up to $70,000 loss

Posted 27 February, 2019

A Bitcointalk forum user under the nickname warith reported he lost $60,000 - $70,000 due to a vulnerability in the popular crypto wallet Coinomi. 

According to the post published on the forum, the author claims that on February 14 installed the Coinomi app, after which he entered into his interface a code phrase from his main Exodus-based wallet.

“I downloaded and installed Coinomi application (Windows version) and noticed that their setup file was digitally signed but their main application was NOT signed after the installation process was completed,” he writes.

On February 22, he noticed that some 90% of the possessed assets was transferred to various addresses (Bitcoins, ETH, ERC20 tokens, LTC, and BCH). Only the cryptos not supported by Coinomi (but supported by Exodus) remained untouched.

After analyzing the Coinomi client, the author found out the entire wallet interface is written in HTML/JavaScript and rendered with Google’s Chromium-based browser. He discovered if one types or pastes something in a textbox the Coinomi app sends it to googleapis(dot)com in order to conduct a spelling check.

Thus, a person from Google or someone who is able to monitor HTTP requests sent to googleapis(dot)com discovered and used the passphrase to stole the crypto worth $60,000 - $70,000. Everyone who is aware of the technologies and cryptocurrencies knows that 12 random English words can be a code phrase for a crypto wallet.

Coinomi has provided no official comments on the issue. The author, however, stated that it deleted its comment on his claim on Twitter and was evasive answering in correspondence. The author stressed he is planning to file a claim if the company keeps avoiding liability. 

Later, the company eventually made comments on this issue saying that this problem hit only desktop version of the wallet.

Previous story

28 February, 2019 11:46

← Coinhive announces shut down of mining service in early March

The cryptocurrency mining service – Coinhive – announced its decision to shut down the operations in early March seeing no economic sense in keeping the project on stream further. The company has posted a notice in its blog regarding the closure of the business on February 26 2019. The service will be shut down on March 8 2019.

Coinhive announces shut down of mining service in early March

Next story

27 February, 2019 16:57

Cryptopia assessment: losses can account for 9.4% of total funds →

New Zealand’s Cryptopia crypto exchange unveiled some data regarding the funds that were lost after the January hack. The company has eventually broken the silence kept since the hack attack in January and made its business updates public posting short reports on its Twitter. Cryptopia also revealed how much of the total assets it held was lost during the attack.

Cryptopia assessment: losses can account for 9.4% of total funds
Write a comment
Prove you’re not a bot + 20 = 25