Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

The Important part missing from TF Summary

[itsme1234]

"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

'nuf said. Surely there are more wrong things wrong with that...

READ BETTER - it is not sent in plaintext

Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn’t sent as plain text, it was “encapsulated inside a HTTPS request with Google being the sole recipient.” It added that Google did not process, cache or store the requests. The issue was fixed six days ago.

A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. He argues that Coinomi’s built-in spell checker automatically checked his seed phrase which involved sending it as plain text to a Google-owned website. This meant it could have been intercepted, leading to the loss of funds. There have been other similar claims on Reddit. While it’s difficult to verify if these claims are true, it does highlight a bigger vulnerability: seed phrases and the dangers of entering them on computers connected to the internet.

Al Maawali told Decrypt he used his Ethereum seed phrase in the Coinomi wallet to access Ethereum-based tokens that he owned but were not supported by the Exodus crypto wallet which he was already using. He said everything worked okay at first as the tokens showed up but then a few days later, the wallet was emptied.

Due to this, he did some research and found what he believes is a critical vulnerability within the Coinomi wallet. At the point where you enter your seed phrase, it is processed through a spell checker. This means the whole seed phrase is sent to a Google-owned website. He has uploaded a video for anyone to replicate the process and see that the vulnerability exists.

Programmer Martin Habovtiak confirmed on Twitter that the vulnerability is real but argued that there might be more a more nefarious reason for the loss. Habovtiak believes it was more likely the money was stolen via malware, or Maawali sent the coins to another account he owns to make it look like they were stolen and is trying to double his money.

However there have been other reports of funds disappearing on the Coinomi wallet—which isn’t uncommon for any software wallet. There are two posts on Reddit by users who claim their funds have disappeared from the Coinomi wallet. Although neither specify that they imported their seed phrase into the wallet.

Al Maawali also provides screenshots of a conversation he claims to have had with Coinomi support in which they appear to accept the vulnerability exists but deny that it was responsible for the loss of funds. This conversation has not been independently verified.

This issue flicks at other issues facing Coinomi. Luke Childs, a developer of open-source software accused the app of lacking necessary encryption measures when sending user information. A blog post by Jonathan Sterling, co-founder of Coin Flow, goes into more detail on the issues, providing screenshots of tweets allegedly from Coinomi dismissing the claims.

While there is evidence that the exploit is real, it is much harder to verify that it was the reason the funds were stolen. There are many other possibilities of how the money was taken including malware or vulnerabilities in other crypto wallets—if it was even stolen. But this vulnerability proves that crypto wallet providers need to think outside the box when it comes to security, but not too much.

[This article has been updated with the response from Coinomi.]

https://decryptmedia.com/5414/alleged-coinomi-exploit-concern

this can happen post-hoc too

[goombah99]

Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.

This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.

Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.

This is true of anything that uses either late binding, or an OS API.

But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.

there isn't an easy answer.