Coinomi Wallet Transmits Plain-Text Seed Phrase…For Spellchecking!

Bitcoin software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi wallet apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking. How Do You Spell ‘Cleaned Out’? The bug […]
Bitcoin software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi wallet apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking. How Do You Spell ‘Cleaned Out’? The bug […]

Bitcoin software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi wallet apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking.


How Do You Spell ‘Cleaned Out’?

The bug came to light after a user noticed $60k-70k of cryptocurrency had disappeared after installing the wallet. The user had entered the passphrase for another wallet into the restore field, to move some unsupported assets. A week later 90% of his main wallet funds were missing, comprising purely the Coinami-supported assets.

Some further investigation, using software to monitor http traffic from running applications, revealed the bombshell. When entering a passphrase in the ‘Restore Wallet’ field, it is sent as plain-text to googleapis.com for spell-checking. You can witness this in the video below:

How Do You Spell ‘WTF’?

In fact, entering any random sentence with a spelling mistake will result in a red-underline once the spellchecker has done its business. But why on earth would a wallet ever need to send the seed (or any other text) to a spellchecker? Spoiler… it wouldn’t.

Apparently the software used to build Coinami wallet has spellchecking enabled as default on any text-field. However, it is easy to disable this, and inexcusable that Coinami did not do this with such sensitive data.

Also worth noting is that the plain-text seed is sent over a secure socket layer. This means it should only be viewable by someone with access to http requests sent to googleapis.com.

HDYS ‘Stay Safe Out There’?

Coinami has apparently ‘quietly’ fixed the problem. But if your seed is already being held in plain text on a Google server somewhere, you might want to move your coins to a different wallet.

The user whose funds were stolen has been awarded a bug-bounty by Coinami, but isn’t happy with their response regarding his funds. For their part, Coinami have identified the addresses where the funds remain untouched since the ‘incident’. These addresses have been blacklisted, so no exchange will deal with them, but the user is demanding a more immediate resolution.

This isn’t the first time that Coinami has faced major privacy issues. Last year, there was an issue whereby the wallet was leaking user addresses in plain-text on opening.

Have you used Coinomi? Share your experiences below!


Images courtesy of Shutterstock