- Coinomi wallet sent a user named Al Maawali’s passwords to Google’s Spellcheck which lead to attackers stealing roughly $70,000 worth funds.
- Coinomi wallet developers failed to disable ‘Google Spellcheck’ feature in the wallet’s UI code thereby exposing users’ passwords via HTTP during the wallet setup process.
Note: Please find the latest update on this story at the bottom.
What's the issue - Conomi wallet sends users’ passphrases to Google’s Spellchecker in plain text thereby exposing users’ accounts and funds to man in the middle (MiTM) attacks. Attackers can use the exposed passwords to log in to users’ accounts and empty their funds.
Oman-based programmer Al Maawali stated that this issue has lead to losing 90% of his funds.
Al Maawali described that it all began on February 14, 2019, when he installed the Coinomi application. He observed after the installation process that Coinomi’s setup file was digitally signed but their main application was not signed.
Maawali contacted Coinomi and notified them about the issue which they acknowledged and then uploaded a new version with the main application signed. However, Maawali already entered his Exodus’s wallet passphrase into Coinomi’s wallet.
Later, on February 22, 2019, Maawali noticed that more than 90% of his Exodus wallet funds were stolen and moved to multiple wallet addresses. He noted that the remaining 10% of funds were left because these assets were supported by Exodus wallet and not by Coinomi wallet.
“On 22nd February 2019, I noticed that more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around 3:30 am UTC. Then followed by ETH (including ERC20 tokens), LTC and finally BCH,” Maawali said.
The big picture
Maawali explained that when users set their passphrase during Coinomi wallet setup, Coinomi app grabs users’ passphrase and sends to Google’s Spellcheck API.
Coinomi wallet comes integrated with Google Spellcheck feature. However, Coinomi wallet developers failed to disable this feature in the wallet’s UI code thereby exposing users’ passwords via HTTP during the wallet setup process.
This allowed attackers to get hold of the exposed passphrase, gain access to Maawali’s account, and steal roughly $70,000 worth funds.
Maawali contacted Coinomi team and notified them about the stolen funds. Coinomi did not bother to provide him a proper response and completely ignored his concerns. They were only concerned about their reputation and kept enquiring about the technical issue behind the flaw. They further threatened Maawali to not publicly disclose the issue.
Latest update - Coinomi wallet developers confirmed that the Spellchecker feature was enabled for the desktop wallet. However, Coinomi wallet said the following in an official statement
- The passphrase wasn’t being transmitted in plain text, instead, it was being encapsulated inside an HTTPS request with Google being the sole recipient.
- The passphrase wasn't being transmitted unless users chose to restore their desktop wallets.
- The spell-check requests that were sent over to Google API were not processed, cached or stored as the requests were flagged as ‘Bad Request’ and weren’t processed further by Google.
According to Coinomi, Al Maawali refused to disclose his findings to Coinomi team and kept threatening to publicly disclose the incident unless they pay 17 bitcoin for the stolen funds. However, Coinomi claims that the funds couldn't have been stolen because of Coinomi for the following reasons:
- Coinomi developers never had access to these passphrases or funds.
- Only Google could read the contents of the encrypted packets that contained the passphrases.
- Google rejected the spell-check requests and did not process them, as the requests did not contain a valid Google API key.
“Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only,” Coinomi said in an official statement.
“That plugin enabled the spell-check functionality by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago — which is the same day we were contacted by Warith Al Maawali,” Coinomi added.