A security consultant has revealed what he claims is a vulnerability in a crypto wallet that has seen more than 500,000 downloads.
The seed text is plain text as in not hashed/encrypted etc. Google have your plain text seed in their logs and viewable by their employees. @warith2020 is also claiming his funds have been stolen.
But you're correct, the connection uses SSL so it's not plain text over the wire.
— Luke Childs (@lukechilds) February 27, 2019
They claim when you restore the seed, which is kind of like a password that “unlocks” your private key, this seed is sent to Google in plaintext. Any Google employee can now access your crypto, they claim and demo in a video.
Coinomi gives a different story. This only affected restoring seeds on desktops, not mobiles, we’re told. Even then, the request to Google api was encrypted and was actually a bad request, never processed by Google at all.
The spellcheck is local, Jxbrowsr downloads a local dictionary and checks, says a Coinomi representative who says this is not an official response by Coinomi. They are preparing an official response which has now been published.
This is now patched 3 days ago anyway, we’re told. “Noone else had this issue since the release of desktops on 1.1.2019.”
We asked Warith Al Maawali, a security consultant who first made this claim, whether the alleged vulnerability had been revealed to Coinomi before it was made public, but have not received a reply in time for publishing.
In a statement, Maawali says his “passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed.”
Coinomi’s rep says they were contacted on the 22.2.2019. “We tried until yesterday very politely to get a responsible disclosure from that user, and he refused,” we’re told.
Making it quite unclear as to what exactly is going on here, but it appears Maawali had some funds stolen and as a security researcher, presumably he went around to see why that happened.
Coinomi, on the other hand, appears to not be very sure there was an actual theft, with revealed discussions by Maawali having a Coinomi rep call it the “incident” in quotes.
Then there appears to be some emotionally charged aspects as the sums are considerable, so anger is to be expected, but the moral of the story is that a wallet is what the name says.
In your physical wallet you probably keep may $100 or perhaps $200 at most. The rest is better served in a hardware wallet or in cold storage as any connection to the internet can lead to vulnerabilities and loss of funds.
Update: Angelos Leoussis, the Operations Manager with Coinomi wallet, says these allegations were proved to be completely untrue by a Crypto Forensic team and their findings were published.