Coinomi User to Lost $70k Due to Vulnerability

According to the user, the passphrase is passed to googleapis.com to check spelling
27 February 2019   399

The user of the Bitcointalk warith told a story about how he lost $ 60,000 - $ 70,000 due to the vulnerability of the popular cryptocurrency wallet Coinomi.

The author claims that on February 14 I downloaded and installed the Coinomi application, after which I entered a code phrase from his main Exodus-based wallet into its interface.

I trusted them because I downloaded the software from their website, the setup file was digitally signed and was mentioned by several reputable websites such as bitcoinwiki.org. I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.
 

warith @Bitcointalk

On February 22, the user noticed in the Exodus interface that 90% of the assets from his wallet sent to various addresses — first Bitcoins, then ETH, ERC20 tokens, LTC, and finally BCH. Only assets that were supported by Exodus but not supported by Coinomi remained.

After analyzing the client Coinomi, the author found out that the entire wallet interface is written in HTML / JavaScript and displayed using a browser based on Chromium.

I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address.
 

warith @Bitcointalk

After that, the user entered a random passphrase in the field to restore the wallet and found that in the form of unencrypted text it was sent to googleapis.com to check spelling. As an alternative verification method, the author entered a misspelled word, which, as expected, was underlined in red.

So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!
 

warith @Bitcointalk

At the beginning, the Coinomi team has not officially commented on this incident. The author, however, stated that she deleted her comment on his claim on Twitter and gave evasive answers in personal correspondence, adding that he intends to file a claim for the company if she continues to avoid responsibility.

In a conversation with Trustnodes, a Coinomi spokesman said that the problem concerned only the desktop version of the wallet and did not affect users on mobile devices. He also claims that requests to Google were encrypted and incorrect, which is why Google did not process them. Spell checking was carried out locally, the spokesman said, adding that this was an unofficial answer. Official answer is reported to follow shortly. According to him, the problem was fixed 3 days ago.

1st Alternative Zcash Client to be Created by Parity

The responsibility for the continued development and support of the new client called Zebra will be with the Zcash Foundation
18 June 2019   126

The leading developer of solutions for the Ethereum ecosystem, Parity Technologies, presented the first alternative client for cryptocurrency Zcash.

A new client called Zebra is designed to improve the security of the Zcash network. So, if the original Zcashd client will not be able to operate for some reason, the blockchain will be supported by nodes on Zebra.

In addition, with the help of an alternative client, developers will be able to identify bugs and eliminate defects in consensus.

The community wins across the board, as there are now more core developers working on clients, with more interests represented and clients taking different approaches on how to build apps on top. Zcash can now boast a more diversified community that can effectively tailor experiences for Layer 2 developers as well as end-users.
 

Fredrik Harryson
CTO, Parity Technologies

The responsibility for the continued development and support of the Zebra will be with the Zcash Foundation.