Reports: Coinomi Wallet Critical Vulnerability Discovered (UPDATED)

Sead Fadilpašić
Last updated: | 4 min read

The Coinomi cryptocurrency wallet was reportedly discovered to have a critical vulnerability that has reportedly cost some users their funds. However, the Coinomi team said the problem has been fixed and “it’s extremely unlikely that this issue would ever result in loss of funds.” (Updated first paragraph, new second section – “Coinomi’s response”.)

Source: iStock/weerapatkiatdumrong

According to claims on the Internet, the wallet, that has more than half a million downloads on the Google Play Store, was sending plain text seed phrases to a third party program for spellchecking. Coinomi denied that this was the case.

Warith Al Maawali, an IT security consultant, has been credited for discovering the issue. He created a website avoid-coinomi.com where he shared his version of events and later posted it on Reddit, also.

“First of all I admit it was my mistake trusting Coinomi wallet by inserting one of my main wallets (Exodus wallet) passphrase into their application,” Al Maawali explains, adding, “I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.” According to the consultant, their main application, which was installed by the user on February 14, was not digitally signed, which he brought to the attention of the Coinomi team through Twitter – but he had already entered his Exodus wallet passphrase into the non-signed one.

On February 22nd, he noticed that “more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around UTC 3:30 AM. Then followed by ETH (including ERC20 tokens), LTC and finally BCH.”

When he started digging into the issue, he discovered that the whole passphrase, in plain text, was being sent to a domain name (googleapis.com) owned by Google for spellchecking purposes. “As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my USD 60K – USD 70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a cryptocurrency wallet,” u/warith explains.

He said that he contacted Coinomi with his findings, but the results weren’t what he expected. “Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation,” he wrote, adding, “They kept reminding me (kinda threatening me) of the legal implications if I go public with the information I have and they forgot their legal responsibility for my stolen crypto assets as well as the risk that impacts other users of the wallet.” He concludes by saying that he is looking into taking legal actions against Coinomi LTD, the UK-based company, if they don’t take responsibility for this security bug.

Meanwhile, some other users also claim they’ve lost their funds:

Coinnomi Hacked?? from r/COINOMI
Was I hacked? I’m not sure what I did wrong! Help? from r/COINOMI

Coinomi’s response

In a blog post, the Coinomi team confirmed that spelcheck functionality was indeed enabled for the Desktop wallets only , while, according to them, the mobile app was not affected by this.

According to the company, it wasn’t a bug in their source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. They claim that the issue was fixed 6 days ago, or the same day they were contacted by Al Maawali.

Coinomi also said that “Al Maawali repeatedly refused to disclose his findings and kept threatened to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him.” The company claims that those funds couldn’t have been hacked because of Coinomi for technical reasons.

“Given the facts above, it’s extremely unlikely that this issue would ever result in loss of funds, however under no circumstances a seed phrase should go online even if this is in encrypted mode and for this we sincerely apologize,” they said.

Coinomi on what to do next:

  • If you have been using Coinomi for Android or iOS there is no further action needed on your side; mobile versions were not affected by this.
  • If you are using Coinomi Desktops and you created a new wallet with your Desktop, again there’s no further action required other than updating your client to the latest (patched) version.
  • If you are using Coinomi Desktops and you restored an existing wallet into your Desktop wallet we recommend that you create a new wallet and move your funds there after you update your client to the latest (patched) version.