Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

Re:The Important part missing from TF Summary

[cascadingstylesheet]

"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

'nuf said. Surely there are more wrong things wrong with that...

Collecting passwords in a browser form field is fairly common, and not wrong.

Spellchecking passwords? With a third party service? Sending in cleartext? Yeah, that's screwy ...

Re:All currency is "made-up"

[Calydor]

Real-world currencies were originally backed by gold reserves and evolved from there.

Cryptocurrencies were originally backed by geeks going, "It'll be the next big thing!" and haven't evolved yet.