Coinomi, a multi-asset cryptocurrency wallet, has recently been embroiled in controversy after a Twitter user claimed it was sending its users’ seed phrases in plain text to third-party servers belonging to Google. In its response, Coinomi clarifies the controversy surrounding it, and the vulnerability.
As CryptoGlobe covered, Twitter user Warith Al Maawali claimed through a website that his passphrase into Coinomi was compromised, and that as a result he lost “$60k-$70k worth of crypto-currency.”
Digging deeper, Maawali found that Coinomi was sending users’ seed phrases as non-encrypted plain text to a Google-owned domain over a spell check function. As a result he claimed someone who was able to see the seed phrase – potentially someone at Google – stole his funds.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
Credit goes to @warith2020 for finding the issue, read more from him here: https://t.co/tCZ0hDPyJ3 pic.twitter.com/hdaPOb84A9
— Luke Childs (@lukechilds) February 27, 2019
He claimed that after reaching out to Coinomi, the firm “kept reminding him” of the “legal implications” of disclosing the vulnerability, and added it “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”
Coinomi Responds
Through a Medium post, the multi-asset crypto wallet claimed that while the seed phrases were being spell checked, the spell check requests “returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”
According to the firm, the bug came from a “bad configuration option in a plug-in used in Desktop wallets only,” and as such users who are using its Desktop wallets should updated to the latest version as soon as possible, while those using its Android and iOS wallets reportedly have to do nothing to remain secure.
The post further questions the validity of Maawali’s claim that the security bug led to the theft of over $60,000 worth of crypto, as according to Coinomi the wallet couldn’t have been hacked over the vulnerability:
Coinomi Team never had access to these seed phrases or funds. No one else except for Google could read the contents of the encrypted packets that contained the seed phrases. Google rejected these requests … as they were badly formed (didn't contain a valid Google API key) and never actually processed them.
The crypto wallet provider further released the full dialogue it had with Maawali before the incident became public. In it, we can see the Twitter user asked the firm for a refund on the stolen funds, asking it to be considered a “bug bounty reward.”
If it didn’t, Maawali noted he would have no choice but to report the incident on social media. After Coinomi requested a video call to conduct a know-your-customer check and presumably investigate the incident, Maawali replied he was soon going live with the incident so he could “let the authorities and the public” deal with Coinomi.
After seeing another request for his “funds back 65k-70k or 17 BTC in value,”Coinomi took to Twitter to declare it doesn’t “negotiate with blackmailers.”
Let the message be clear, we do not negotiate with blackmailers.
Here is the full Helpdesk correspondance with @warith2020 (a blackmail gone wrong):
— coinomi (@CoinomiWallet) February 27, 2019
On social media, onlookers have now been criticizing both sides. Some questioned whether Maawali’s claims are genuine, as it wouldn’t make sense to refuse a KYC check to restore what he claimed to be his life savings, nor would it make sense for someone to store his life savings in a hot wallet, instead of a hardware one.
As for Coinomi, some users have noted its approach to the situation wasn’t the best one, and claimed the firm wasn’t able to properly handle the situation. While in some statements Coinomi claimed a firm it works with concluded the funds didn’t appear to have been hacked, in other statements it points out Maawali’s computer could’ve been compromised before he entered his seed phrase.