Coinomi Wallet Addresses Vulnerability Concerns

Coinomi Wallet denied recent claims that its software sends wallet recovery seed phrases to Google’s remote spellchecker servers in unencrypted text.

Coinomi Wallet denied recent claims that its software sends wallet recovery seed phrases to Google’s remote spell checker servers in plain (unencrypted) text. The company refuted the claims in an official statement published on Feb. 27.

In the statement, Coinomi claims that, unlike what was reported, the seed phrase transmission was encrypted via SSL (HTTPS), with Google being the only recipient capable of decrypting the message.

Coinomi notes that the phrase was only transmitted if the user chose to restore his wallet and only on the desktop version. Finally, Coinomi states that the spell-check requests sent to Google were not cached or stored, since they were flagged as bad requests by the servers and were not processed further.

The cause of the problem was reportedly a bad configuration in a plug-in software contained in the desktop version of Coinomi wallets.

The company claims that on Feb. 22 Warith Al Maawali created a support request on their board regarding a vulnerability contained in their wallet which, according to Maawali, has led to a wallet being hacked, as he claims on the dedicated website AvoidCoinomi.

Coinomi purportedly flagged the request as high priority and investigated into the matter. The company COO Angelos Leoussis said on the firm’s official Telegram group that the user kept “threatening, swearing, and blackmailing us for insane amounts.”

While a video posted on AvoidCoinomi aims to demonstrate the alleged vulnerability, it appears to show that the option to decrypt HTTPS is selected in the software.

Leoussis shared an alleged copy of the conversation with Maawali with Cointelegraph, where the user suggests that the wallet contains a backdoor and declares:

“You have few hours to return my assets back or I will go public with all the the [sic] evidence against you.”

According to information shared with Cointelegraph, on Feb. 23 Maawali requested the company to refund the allegedly stolen crypto assets or their equivalent in dollars, stating that otherwise he has “no choice other than reporting this in social media.” Still, he did not share the details of his findings, saying that he will wait until the company shows its willingness to refund the allegedly stolen funds.

Per Leoussis , Coinomi responded that the company did not consider this to be a responsible disclosure and asked for details concerning the alleged vulnerability. Maawali seemingly responded to the request by stating that he will not disclose details without assurance of a refund.

On Feb. 26 Coinomi purportedly declared that the company will report the stolen assets to Chainalysis, which will blacklist the funds so no exchange will accept them.

In December 2018, researchers were reportedly able to demonstrate that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue hardware wallets. At the 35C3 Refreshing Memories conference researchers used several different strategies to attempt to compromise the wallets. The Ledger team also claimed that the alleged vulnerabilities discovered in its hardware wallets were not critical.

COMMENTS

By Readers$type=blogging$cate=2$count=6

Name

Analysis,498,News,2632,Press Releases,338,Sponsored,137,
ltr
item
CryptoNomus: Coinomi Wallet Addresses Vulnerability Concerns
Coinomi Wallet Addresses Vulnerability Concerns
https://images.cointelegraph.com/images/528_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS9zdG9yYWdlL3VwbG9hZHMvdmlldy83MWM2MjhmZTdjZDFhZmE3OTAyMDQ4ZTE4NzY2ZjIxOS5qcGc=.jpg
CryptoNomus
https://www.cryptonom.us/2019/02/coinomi-wallet-addresses-vulnerability.html
https://www.cryptonom.us/
https://www.cryptonom.us/
https://www.cryptonom.us/2019/02/coinomi-wallet-addresses-vulnerability.html
true
4884201149675661183
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy