February 28, 2019 9:41 PM
After patching a bug, the wallet provider claimed the security issue could not have resulted in funds being stolen.
Cryptocurrency wallet provider Coinomi has responded[1] to recent claims that the company's wallet software sends wallet recovery seed phrases to Google's remote spell checker servers in unencrypted text. According to Coinomi's Medium post, the spell check requests "returned an error (code: 400) as they were flagged as 'Bad Request' and weren't processed further by Google."
Exchanging a Few Words
Warith Al Maawali created the avoid-coinomi.com[2] website after finding the alleged vulnerability in the Coinomi desktop wallet. Like other software wallets, Coinomi uses a 12-word seed phrase in the event a user needs to restore a wallet, forgets their pin, or needs to transfer funds to a new device. On his website, Maawali explains that, while restoring his Coinomi wallet on his desktop, his seed phrases were sent[3] in "clear plain text" (unencrypted) to googleapis.com, a domain name owned by Google that acts as a spellcheck function. The feature is supposedly meant to make it easier for users to spot typos while entering in their seed phrases.
Maawali posted a video[4] of the alleged vulnerability to the avoid-coinomi website. He claimed the bug resulted in $60,000 to $70,000 worth of cryptocurrency being stolen from his wallet by "someone from Google's team" or whoever had access to the Google server. As for how the alleged hacker knew the 12 words were a part of a wallet recovery phrase, Maawali states: "Anyone who is involved in technology and crypto-currency knows that a [sic] 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!"
Maawali alerted Coinomi to the supposed bug via
