Coinomi Desktop Wallet checks spelling of seed phrases. The function allowed to steal $ 70,000 in cryptocurrency

The user under the warith nickname reported the loss of $ 60,000 – $ 70,000 after installing the Coinomi cryptocurrency wallet from the official site.

Check ur the crypto Spell Spell-currency wallet's Remotely with the passphrase #Coinomi ? https://t.co/xuQnLf0vOy https://t.co/nasw8FfmpQ #btc $ btc $ ltc $ xmr $ trx $ XRP $ zcoin $ dash $ zcash $ gno $ eth $ ark $ bch

– Warith Al Maawali (@ warith2020) February 26, 2019

“My main Exodus wallet did not support some assets and I decided to move them to Coinomi using the same seed phrase,” he writes.

A few days later, warith noticed that 90% of the assets — Bitcoins, ETH, ERC20, LTC and BCH tokens with a total value of up to $ 70,000 — were withdrawn from his Exodus wallet to various addresses. Only assets that were not supported by Coinomi remained in the wallet.

To understand the situation, warith tracked the traffic of the Coinomi application and found out that at the time of launch it downloaded a list of words from the dictionary.

“I entered a random seed phrase in the wallet recovery box and found that in the form of unencrypted text it was sent to googleapis.com for spell checking.

Everyone who is connected with technology and cryptocurrency knows that 12 random English words can be a seed phrase from a crypto wallet. Thus, someone from the Google team, or someone who has access to HTTP requests sent to googleapis.com, found a passphrase and used it to steal $ 60,000 – $ 70,000 in cryptocurrency, ”writes warith.

The user wrote a post about the incident on Twitter, but Coinomi only achieved evasive answers in personal correspondence. In this regard, warith is ready to file a claim with the company, “if it continues to avoid responsibility.”

After some time, a representative of Coinomi, in an interview with Trustnodes, reported that the detected vulnerability was eliminated and concerned only the desktop version of the wallet.

“Requests to Google were encrypted and incorrect, because of which they were not processed by Google. Spell check was carried out locally, ” he said, promising that the company would soon prepare an official comment on the incident.

Recall that earlier in February, a vulnerability was discovered in software for Antminer S15 devices , which in theory allows attackers to fully control ASIC.

Follow BlockchainJournal on Twitter !