Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker (zdnet.com)

Posted by msmash on from the oops dept.

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

6 of 75 comments (clear)

  1. The Important part missing from TF Summary by itsme1234 · · Score: 3, Informative

    "The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

    'nuf said. Surely there are more wrong things wrong with that...

    1. Re:The Important part missing from TF Summary by cascadingstylesheet · · Score: 4, Insightful

      "The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

      'nuf said. Surely there are more wrong things wrong with that...

      Collecting passwords in a browser form field is fairly common, and not wrong.

      Spellchecking passwords? With a third party service? Sending in cleartext? Yeah, that's screwy ...

  2. Pssword123 by Oswald+McWeany · · Score: 4, Funny

    Psword123

    Did you mean "Password123"

    --
    "That's the way to do it" - Punch
  3. I don't believe it by mattyj · · Score: 5, Funny

    A system of made-up currency run by any number of idiots in their virtual garages is shady? What? How could this possibly be?

  4. this can happen post-hoc too by goombah99 · · Score: 5, Informative

    Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.

    This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
    But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.

    Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.

    This is true of anything that uses either late binding, or an OS API.

    But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.

    there isn't an easy answer.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  5. Re:All currency is "made-up" by Calydor · · Score: 3, Insightful

    Real-world currencies were originally backed by gold reserves and evolved from there.

    Cryptocurrencies were originally backed by geeks going, "It'll be the next big thing!" and haven't evolved yet.

    --
    -=This sig has nothing to do with my comment. Move along now=-