Slashdot Mirror
Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker (zdnet.com)
An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.
... copying and pasting from StackOverflow?
Why would a password be sent to a spellcheck service? Better question, is it even at all possible this was done as a 100% incompetent mistake, or is it too far out of the way for that? Where are the developers who wrote it?
A hot fire is in order.
"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"
'nuf said. Surely there are more wrong things wrong with that...
Psword123
Did you mean "Password123"
"That's the way to do it" - Punch
A system of made-up currency run by any number of idiots in their virtual garages is shady? What? How could this possibly be?
For coinomi, to make use of the passphrase, an attacker needs access to the phone.
My sig doesn't address Anons, sigs aren't visible to them.
My roommate sniffed my troll shitposts on 4chan. Even though I always used https, Google spellchecker in Chrome didn't.
While there is some validity to your point, the use of "made-up" in yes context detracts from your credibility, all currency is "made-up". Next time use qualifiers that make what you're talking about distinct. Like saying that the currency is not backed by a nation.
My sig doesn't address Anons, sigs aren't visible to them.
Annonymous Coward's password strength verifier!
Here's a example of how it works:
you : hey is this password strong?
ACpsv : and you are?
you : Joe Bloggs
ACpsv : what site is this for?
you : Fidelity.com
ACpsv: yeah, sure, it's good.
You cannot print your own money but you can issue your own cryptocurrency!!!
You cannot print your own stocks but you can issue your own cryptocurrency!!!
All kinds of cryptocurrencies need to be banned globally!!!
Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn’t sent as plain text, it was “encapsulated inside a HTTPS request with Google being the sole recipient.” It added that Google did not process, cache or store the requests. The issue was fixed six days ago.
A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. He argues that Coinomi’s built-in spell checker automatically checked his seed phrase which involved sending it as plain text to a Google-owned website. This meant it could have been intercepted, leading to the loss of funds. There have been other similar claims on Reddit. While it’s difficult to verify if these claims are true, it does highlight a bigger vulnerability: seed phrases and the dangers of entering them on computers connected to the internet.
Al Maawali told Decrypt he used his Ethereum seed phrase in the Coinomi wallet to access Ethereum-based tokens that he owned but were not supported by the Exodus crypto wallet which he was already using. He said everything worked okay at first as the tokens showed up but then a few days later, the wallet was emptied.
Due to this, he did some research and found what he believes is a critical vulnerability within the Coinomi wallet. At the point where you enter your seed phrase, it is processed through a spell checker. This means the whole seed phrase is sent to a Google-owned website. He has uploaded a video for anyone to replicate the process and see that the vulnerability exists.
Programmer Martin Habovtiak confirmed on Twitter that the vulnerability is real but argued that there might be more a more nefarious reason for the loss. Habovtiak believes it was more likely the money was stolen via malware, or Maawali sent the coins to another account he owns to make it look like they were stolen and is trying to double his money.
However there have been other reports of funds disappearing on the Coinomi wallet—which isn’t uncommon for any software wallet. There are two posts on Reddit by users who claim their funds have disappeared from the Coinomi wallet. Although neither specify that they imported their seed phrase into the wallet.
Al Maawali also provides screenshots of a conversation he claims to have had with Coinomi support in which they appear to accept the vulnerability exists but deny that it was responsible for the loss of funds. This conversation has not been independently verified.
This issue flicks at other issues facing Coinomi. Luke Childs, a developer of open-source software accused the app of lacking necessary encryption measures when sending user information. A blog post by Jonathan Sterling, co-founder of Coin Flow, goes into more detail on the issues, providing screenshots of tweets allegedly from Coinomi dismissing the claims.
While there is evidence that the exploit is real, it is much harder to verify that it was the reason the funds were stolen. There are many other possibilities of how the money was taken including malware or vulnerabilities in other crypto wallets—if it was even stolen. But this vulnerability proves that crypto wallet providers need to think outside the box when it comes to security, but not too much.
[This article has been updated with the response from Coinomi.]
https://decryptmedia.com/5414/alleged-coinomi-exploit-concern
I'm sure it probably sent it in plain text to the spellchecker to make sure you weren't using a "common" password that could be susceptible to a Dictionary Attack, you know, for security.
ahahaha krypto kurrency is for suckers.
Everyone knows that you need to send the password over SSL to your own back-end service first before you send it to Google Spellcheck in clear text!
I thought Google was encrypting everything? Wondering which man in the middle attack he was hit with..
Yes, what programmer is out there that would dream up such a scheme? I'm sure some lamers out there are gonna scream "password strength" checker. I'm call BULLSHIT on that. They could have made it slightly worse by also sending it to Facebook--just to see if was their login there, of course.
0.0.0.0 redirector.gvt1.com
0.0.0.0 gvt1.com
0.0.0.0 googleapis.com
* SOURCE https://www.avoid-coinomi.com/
(Accept NO "Bolt-on-'MoAr'" ILLOGIC-LOGIC inferior substitutes that DO LESS & USE MORE + are LOADED w/ security issues (DNS/Antivirus) OR are 'souled-out' to advertisers (adblock) OR BEING KILLED BY Google (UBlock & other adblocking addons) https://www.bleepingcomputer.c... - As is, addons = easily detected & blocked by webmasters...)
APK
P.S.=> For the best hosts file multiplatform:
APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)
APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)
Soon for MacOS (I just got a NEW Mac-Mini to port it there)... apk
You're all missing the point.
In all the arguments about the seed/passphrase being sent to Google in plaintext or it was encapsulated in a HTTPS package, or Google does or doesn't log the passphrase, or that client-side Javascript is involved -- why is a spell checker even part of the process?
If the spellcheck declares there is no misspelling does that indicate a dictionary word is being used and it should NOT be used as a passphrase? Is this why?
Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.
This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.
Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.
This is true of anything that uses either late binding, or an OS API.
But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.
there isn't an easy answer.
Some drink at the fountain of knowledge. Others just gargle.
There should be a term or phrase where people should consider all architectural choices as a title on slashdot before proceeding... "company X connects logins through clear text 1990's WAP phone"...
My problem with apps is we seem to have this "any moron can do it" kind of attitude with software, where we end up with idiots and morons building software they aren't qualified to make.
Me, I would say any cryptocurrency app pretty much has to be treated like it was rushed to market by idiots who don't know or care about security, they just want to get in the game. The other side of that coin is pretty much any mobile app has to be treated like it was rushed to market by idiots who don't know or care about security, they just want to get in the game.
I would say the people who built this are complete fucking morons, con men, or both.
Sadly, I would say people playing in an unregulated banking industry, trusting idiots and morons to safeguard their money without recourse ... these people are fucking idiots who deserve what they get.
This isn't a bank, this isn't a financial institution, this is some random moron with an app offering to hold onto your money for you. Fuck man, you might as well have a homeless guy do it, he's just as qualified.
People, you have no legal protections or assurances, why are you letting random assholes and idiots hold your money for you? If you don't know cryptocurrency is a completely unregulated financial market, you probably have no business being in the game.
Me, I'm long past any sympathy for this shit ... it's self inflicted stupidity caused by you thinking you're going to get rich, and placing trust where you really have no basis to do so.
You might as well leave a bag of money on your front porch.
A day late and an APKoin short as always shit stick.
Firefox and Chrome both ignore OS DNS resolution, retard. Firefox has done it since version 64, and uses Cloudflare.
network.dnsCacheEntries 0
network.trr.mode to 5 (SHUTS IT OFF)
* For FireFox about:config entries to turn that "advertising machine" BS right the F off - & JEWgle's CHROME? Stay AWAY from it, period!
APK
P.S.=> So much for YOUR bs chump - I've always got a way around JEW advertiser bullshit - especially STUPIDLY subverting native OS & IP stack function (so they can infect/track/SLOW you via their crap)... apk
Hosts efficacy recently vs. threats & results in https://tech.slashdot.org/comm... https://yro.slashdot.org/comme... https://it.slashdot.org/commen... https://linux.slashdot.org/com... https://news.slashdot.org/comm... https://apple.slashdot.org/com... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://search.slashdot.org/co... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://apple.slashdot.org/com... https://tech.slashdot.org/comm... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://science.slashdot.org/c... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm...
* That's only recently while I've been on Linux (July 2018) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VERIFIABLE UNDENIABLE REALITY (see those links as proof). ... & that's ONLY what /. reported on (there were FAR more)
APK
P.S.=> "It's working: Neville... it's working!" - "I AM LEGEND" + HOSTNAME USE IS DOWN IN MALWARE https://unit42.paloaltonetwork... (my ACT OF FAITH is JUSTIFIED by fact)... apk
So Mozilla and Google made us vulnerable to these threats. What apk does is protect us against them dumbass!
What apk does is protect us against them dumbass!
No, what you, APK, do is refer to yourself in the 3rd person and reply to yourself to make it look like someone supports you. Then there are your antisemitic screeds that you posts. In reality none of APK's actions make you look sane or smart.
Angry jew gets outsmarted hehehe. Now your racist anti-human beliefs: 1. Sanhedrin 59a: "Murdering Goyim (non-jew) is like killing a wild animal."
2. Abodah Zara 26b: "Even the best of the Gentiles (non-jew) should be killed."
3. Sanhedrin 59a: "A goy (Gentile) who pries into The Law (Talmud) is guilty of death."
4. Yebhamoth 11b: "Sexual intercourse with a little girl is permitted if she is three years of age."
5. Schabouth Hag. 6d: "Jews may swear falsely by use of subterfuge wording."
6. Hilkkoth Akum X1: "Do not save Goyim in danger of death."
7. Hilkkoth Akum X1: "Show no mercy to the Goyim."
8. Choschen Hamm 388, 15: "If it can be proven that someone has given the money of Israelites to the Goyim, a way must be found after prudent consideration to wipe him off the face of the earth."
9. Choschen Hamm 266,1: "A Jew may keep anything he finds which belongs to the Akum (Gentile). For he who returns lost property (to Gentiles) sins against the Law by increasing the power of the transgressors of the Law. It is praiseworthy, however, to return lost property if it is done to honor the name of God, namely, if by so doing, Christians will praise the Jews and look upon them as honorable people."
10. Szaaloth-Utszabot, The Book of Jore Dia 17: "A Jew should and must make a false oath when the Goyim asks if our books contain anything against them."
11. Baba Necia 114, 6: "The Jews are human beings, but the nations of the world are not human beings but beasts."
12. Simeon Haddarsen, fol. 56-D: "When the Messiah comes every Jew will have 2800 slaves."
13. Nidrasch Talpioth, p. 225-L: "Jehovah created the non-Jew in human form so that the Jew would not have to be served by beasts. The non-Jew is consequently an animal in human form, and condemned to serve the Jew day and night."
14. Aboda Sarah 37a: "A Gentile girl who is three years old can be violated."
15. Gad. Shas. 2:2: "A Jew may violate but not marry a non-Jewish girl."
16. Tosefta. Aboda Zara B, 5: "If a goy kills a goy or a Jew, he is responsible; but if a Jew kills a goy, he is NOT responsible."
17. Schulchan Aruch, Choszen Hamiszpat 388: "It is permitted to kill a Jewish denunciator everywhere. It is permitted to kill him even before he denounces."
18. Schulchan Aruch, Choszen Hamiszpat 348: "All property of other nations belongs to the Jewish nation, which, consequently, is entitled to seize upon it without any scruples."
19. Tosefta, Abda Zara VIII, 5: "How to interpret the word 'robbery.' A goy is forbidden to steal, rob, or take women slaves, etc., from a goy or from a Jew. But a Jew is NOT forbidden to do all this to a goy."
20. Seph. Jp., 92, 1: "God has given the Jews power over the possessions and blood of all nations."
21. Schulchan Aruch, Choszen Hamiszpat 156: "When a Jew has a Gentile in his clutches, another Jew may go to the same Gentile, lend him money and in turn deceive him, so that the Gentile shall be ruined. For the property of a Gentile, according to our law, belongs to no one, and the first Jew that passes has full right to seize it."
22. Schulchan Aruch, Johre Deah, 122: "A Jew is forbidden to drink from a glass of wine which a Gentile has touched, because the touch has made the wine unclean."
23. Nedarim 23b: "He who desires that none of his vows made during the year be valid, let him stand at the beginning of the year and declare, 'Every vow which I may make in the future shall be null'. His vows are then invalid."
Jews view of non-jews (goy/goyim/gentiles) are above.
ALL from their "book of law" the talmud.
Jews claim anti-semitism when they are proven racists themselves from their own book of cultural laws the talmud shown in part above.
Try "jew guilt" us?
There's plenty in that link to their talmud cultural laws and their history to be guilty of. Jews = biggest racists of all for which they "jew guilt" you for no less!
Hypocrites known as thieve
Ranks up there with https://xkcd.com/1700/ doesn't it...
Coinomi's official response: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
More than likely Al Maawali was trying to scam them..
You stalk him constantly using unidentifiable anonymous posts. You have gall to say what you did.
It's a PARTIAL LIST because /. omitted reports where hosts work vs. threats etc. & /. didn't report tons of others from security sites.
I caught them & added the known bad sites to hosts to block MYSELF idiot!
APK
P.S.=> LEARN TO READ! apk