Slashdot Mirror
Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker (zdnet.com)
An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.
"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"
'nuf said. Surely there are more wrong things wrong with that...
Psword123
Did you mean "Password123"
"That's the way to do it" - Punch
A system of made-up currency run by any number of idiots in their virtual garages is shady? What? How could this possibly be?
For coinomi, to make use of the passphrase, an attacker needs access to the phone.
My sig doesn't address Anons, sigs aren't visible to them.
Annonymous Coward's password strength verifier!
Here's a example of how it works:
you : hey is this password strong?
ACpsv : and you are?
you : Joe Bloggs
ACpsv : what site is this for?
you : Fidelity.com
ACpsv: yeah, sure, it's good.
Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn’t sent as plain text, it was “encapsulated inside a HTTPS request with Google being the sole recipient.” It added that Google did not process, cache or store the requests. The issue was fixed six days ago.
A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. He argues that Coinomi’s built-in spell checker automatically checked his seed phrase which involved sending it as plain text to a Google-owned website. This meant it could have been intercepted, leading to the loss of funds. There have been other similar claims on Reddit. While it’s difficult to verify if these claims are true, it does highlight a bigger vulnerability: seed phrases and the dangers of entering them on computers connected to the internet.
Al Maawali told Decrypt he used his Ethereum seed phrase in the Coinomi wallet to access Ethereum-based tokens that he owned but were not supported by the Exodus crypto wallet which he was already using. He said everything worked okay at first as the tokens showed up but then a few days later, the wallet was emptied.
Due to this, he did some research and found what he believes is a critical vulnerability within the Coinomi wallet. At the point where you enter your seed phrase, it is processed through a spell checker. This means the whole seed phrase is sent to a Google-owned website. He has uploaded a video for anyone to replicate the process and see that the vulnerability exists.
Programmer Martin Habovtiak confirmed on Twitter that the vulnerability is real but argued that there might be more a more nefarious reason for the loss. Habovtiak believes it was more likely the money was stolen via malware, or Maawali sent the coins to another account he owns to make it look like they were stolen and is trying to double his money.
However there have been other reports of funds disappearing on the Coinomi wallet—which isn’t uncommon for any software wallet. There are two posts on Reddit by users who claim their funds have disappeared from the Coinomi wallet. Although neither specify that they imported their seed phrase into the wallet.
Al Maawali also provides screenshots of a conversation he claims to have had with Coinomi support in which they appear to accept the vulnerability exists but deny that it was responsible for the loss of funds. This conversation has not been independently verified.
This issue flicks at other issues facing Coinomi. Luke Childs, a developer of open-source software accused the app of lacking necessary encryption measures when sending user information. A blog post by Jonathan Sterling, co-founder of Coin Flow, goes into more detail on the issues, providing screenshots of tweets allegedly from Coinomi dismissing the claims.
While there is evidence that the exploit is real, it is much harder to verify that it was the reason the funds were stolen. There are many other possibilities of how the money was taken including malware or vulnerabilities in other crypto wallets—if it was even stolen. But this vulnerability proves that crypto wallet providers need to think outside the box when it comes to security, but not too much.
[This article has been updated with the response from Coinomi.]
https://decryptmedia.com/5414/alleged-coinomi-exploit-concern
Everyone knows that you need to send the password over SSL to your own back-end service first before you send it to Google Spellcheck in clear text!
Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.
This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.
Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.
This is true of anything that uses either late binding, or an OS API.
But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.
there isn't an easy answer.
Some drink at the fountain of knowledge. Others just gargle.
Why would a password be sent to a spellcheck service?
Because you keep misspelling A#1b0Q^xK2-
Have gnu, will travel.
Real-world currencies were originally backed by gold reserves and evolved from there.
Cryptocurrencies were originally backed by geeks going, "It'll be the next big thing!" and haven't evolved yet.
-=This sig has nothing to do with my comment. Move along now=-
None of that is relevant to what has been said so far.
My sig doesn't address Anons, sigs aren't visible to them.
My password passed the spell check because it's "password", so who's laughing now? If only you people would stick to plain English passwords and spelled them correctly there wouldn't be a problem.
If it's a BIP39 seed, it's a list of 12 randomly chosen, common words. A typo in the spelling of any of those words means it's not a valid seed-word. I can see someone thinking that checking the spelling of a word isn't a security issue, but do it 12 times in a row, and you've leaked the root key for a BTC HD wallet.
Just plain dumb.
The real crime here is that they don't send the password also to a grammar checking service.
I'll see your senator, and I'll raise you two judges.
Actually, its backed by a lot of very complex math but go on.
What is the value of the math itself as opposed to the value of the gold represented by real-world currency?
At its very core, the ENTIRE concept of crypto-currency boils down to saying, "It would be pretty cool if we could make this work." And yes, it would. But that alone doesn't give it intrinsic value, and it doesn't give it the critical mass it requires to be considered a true currency on a level with the dollar, euro, yen, hell even the bolivar is more of a real currency - although for how long is debatable, true.
-=This sig has nothing to do with my comment. Move along now=-
Shut up, man, that's my password too. Stop telling everyone.
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
Going back further, gold as currency was also made up and took a leap of faith.... well, less a 'leap of faith' and more 'government will only accept taxes in gold and will only pay bills in the same'.
That is less 'backed' and more 'implemented by'.