Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

this can happen post-hoc too

[goombah99]

Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.

This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.

Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.

This is true of anything that uses either late binding, or an OS API.

But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.

there isn't an easy answer.