Alleged Coinomi Crypto Wallet Vulnerability Fixed Says Rep

1

A security consultant has revealed what he claims is a vulnerability in a crypto wallet that has seen more than 500,000 downloads.

They claim when you restore the seed, which is kind of like a password that “unlocks” your private key, this seed is sent to Google in plaintext. Any Google employee can now access your crypto, they claim and demo in a video.

Coinomi gives a different story. This only affected restoring seeds on desktops, not mobiles, we’re told. Even then, the request to Google api was encrypted and was actually a bad request, never processed by Google at all.

The spellcheck is local, Jxbrowsr downloads a local dictionary and checks, says a Coinomi representative who says this is not an official response by Coinomi. They are preparing an official response which has now been published.

This is now patched 3 days ago anyway, we’re told. “Noone else had this issue since the release of desktops on 1.1.2019.”

We asked Warith Al Maawali, a security consultant who first made this claim, whether the alleged vulnerability had been revealed to Coinomi before it was made public, but have not received a reply in time for publishing.

In a statement, Maawali says his “passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed.”

Coinomi’s rep says they were contacted on the 22.2.2019. “We tried until yesterday very politely to get a responsible disclosure from that user, and he refused,” we’re told.

Making it quite unclear as to what exactly is going on here, but it appears Maawali had some funds stolen and as a security researcher, presumably he went around to see why that happened.

Coinomi, on the other hand, appears to not be very sure there was an actual theft, with revealed discussions by Maawali having a Coinomi rep call it the “incident” in quotes.

Then there appears to be some emotionally charged aspects as the sums are considerable, so anger is to be expected, but the moral of the story is that a wallet is what the name says.

In your physical wallet you probably keep may $100 or perhaps $200 at most. The rest is better served in a hardware wallet or in cold storage as any connection to the internet can lead to vulnerabilities and loss of funds.

Copyrights Trustnodes.com

 

1
Leave a Reply

100000
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
  Subscribe  
newest oldest most voted
Notify of
Thedude