Possible Security Vulnerability on Coinomi Wallet
A Twitter user, Warith Al Maawali has pointed to a possible security vulnerability on one of the oldest multi-asset crypto wallets, Coinomi. According to him, the wallet sends the seed phrase of users in plain text to Google’s remote spellchecker API. What this means is that anyone with access to Google’s log files can steal funds from a Coinomi wallet. He went further to claim that his wallet was compromised due to this vulnerability and $60,000 to $70,000 (about 17 BTC) worth of cryptocurrencies have been stolen from his account.
Warith has revealed details on the nature of the vulnerability on this site, avoid-coinomi.com, stating that:
Please note that this security issue cannot be exploited by anyone except by the people who created it or have control over the backend. To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later.
Coinomi is popular for supporting a wide range of digital assets, and a host of masternode coins. Responding to the allegation, the wallet admitted that Warith Al Maawali contacted support on Feb 22 with regards to a security vulnerability on their desktop wallet.
Our engineers confirmed that spell-check functionality was indeed enabled for the Desktop wallets only — the mobile apps were not affected by this.
The vulnerability which has now been fixed was caused by a bad configuration plug-in option, which enabled the spell-check functionality by default. Desktop users have been advised to create new wallets and transfer their funds for old users while updating their client to the latest version.