Security Alert: Crypto Wallet Coinomi Reportedly Sending Seed Phrases to Google

Francisco Memoria

Multi-asset cryptocurrency wallet Coinomi reportedly has a major security vulnerability, as it has, according to various security researchers, been sending users’ seed phrases in plain text to third-party servers.

Twitter user Warith Al Maawali, who first discovered the vulnerability, claims to have found out about it after losing large amounts of cryptocurrency after adding his recovery phrase to Coinomi. He wrote:

My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase.

The vulnerability itself sees the cryptocurrency wallet send users’ seed phrases as non-encrypted plain text to a Google-owned, over a spell check function. Using software that allows the monitoring and debugging of HTTP/HTTPS traffic on applications, Maawali found out about the activity.

To verify the threat, he noted on a website dedicated to the incident that all users have to do is “simply paste any random sentence with [a] spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page.” The result, he wrote, is that the error will be underlined in red, after being sent to Google for a spell check.

On Twitter, security researcher Luke Childs published a video showing that Coinomi was indeed sending its users’ seed phrases to Google.

Maawali believes his funds were stolen by someone with access to the traffic, or by someone at Google who noticed the seed phrase. The researchers added that other Coinomi wallet users have reported seeing their funds disappear.

Coinomi’s Response

Before making the vulnerability public, Maawali claims to have reached out to Coinomi explaining the situation. Per his words, the team behind the wallet “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”

Maawali claims Coinomi “kept reminding” him in a threatening way of “the legal implications” of disclosing the vulnerability. He noted they shouldn’t forget about the legal implications of his funds, now gone.

Luke Childs has notably in the past disclosed a vulnerability Coinomi had. The vulnerability transmitted its users’ transactions unencrypted to Electrum servers, without using standard security technology. At the time, the developers reacted defensively, criticizing Childs claiming he spread fear, uncertainty, and doubt (FUD).

Maawali advised those using Coinomi to secure their funds as soon as they can:

To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later

Available data shows the Coinomi wallet isn’t open-source, meaning its code isn’t available to the public. Some in the crypto community believe these wallets should be avoided, as they can contain hidden security vulnerabilities.

Hackers Try to Sell Data of 142 Million MGM Hotel Guests for Bitcoin or Monero

Hackers are trying to sell the data of 142 million MGM hotel guests on the dark web for about $2,900 worth of cryptocurrency, payable in either bitcoin or monero (XMR).

According to ZDNet, the data comes from a 2019 data breach that MGM Resorts (NYSE: MGM) that was initially believed to have only affected 10.6 million MGM hotel guests, as the hackers published a free sample of the data available for download.

The new finding, that a total of 142,479,937 hotel guests had their data stolen by a hacker, was discovered after a hacker published an ad to sell the data on a darknet market. The hacker claims to have gotten to the data after breaching data leak monitoring service DataViper, which is operated by Night Lion Security.

The founder of Night Lion Security, Vinny Troia, reportedly told ZDNet the firm never owned a copy of MGM’s full database, and that the hackers were trying to ruin its reputation with their claims. While MGM Resorts learned of the security breach last year, it did not make it public and instead just notified impacted customers.

Speaking to ZDNet, an MGM spokesperson said:

MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation

The spokesperson also added that the majority of data consisted of “contract information like names, postal addresses, and email addresses.”  Social Security numbers, reservation data, and other financial information was not leaked, according to MGM.

Irina Nesterovsky, Head of Research at threat intel firm KELA, reportedly noted that the MGM data has been for sale on private hacking circles since at least July 2019 and that the situation could be even worse, as posts from Russian-speaking forums claimed to contain the details of 200 million hotel guests.

For now, it’s only clear that the hacker who has the data is trying to sell it for $2,900 worth of either bitcoin or XMR on an unnamed darknet marketplace.

Featured image via Pixabay.