The user of the Bitcointalk warith told a story about how he lost $ 60,000 - $ 70,000 due to the vulnerability of the popular cryptocurrency wallet Coinomi.
The author claims that on February 14 I downloaded and installed the Coinomi application, after which I entered a code phrase from his main Exodus-based wallet into its interface.
I trusted them because I downloaded the software from their website, the setup file was digitally signed and was mentioned by several reputable websites such as bitcoinwiki.org. I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.
On February 22, the user noticed in the Exodus interface that 90% of the assets from his wallet sent to various addresses — first Bitcoins, then ETH, ERC20 tokens, LTC, and finally BCH. Only assets that were supported by Exodus but not supported by Coinomi remained.
I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address.
After that, the user entered a random passphrase in the field to restore the wallet and found that in the form of unencrypted text it was sent to googleapis.com to check spelling. As an alternative verification method, the author entered a misspelled word, which, as expected, was underlined in red.
So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)
As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!
At the beginning, the Coinomi team has not officially commented on this incident. The author, however, stated that she deleted her comment on his claim on Twitter and gave evasive answers in personal correspondence, adding that he intends to file a claim for the company if she continues to avoid responsibility.
In a conversation with Trustnodes, a Coinomi spokesman said that the problem concerned only the desktop version of the wallet and did not affect users on mobile devices. He also claims that requests to Google were encrypted and incorrect, which is why Google did not process them. Spell checking was carried out locally, the spokesman said, adding that this was an unofficial answer. Official answer is reported to follow shortly. According to him, the problem was fixed 3 days ago.