Security Alert: Crypto Wallet Coinomi Reportedly Sending Seed Phrases to Google

Francisco Memoria

Multi-asset cryptocurrency wallet Coinomi reportedly has a major security vulnerability, as it has, according to various security researchers, been sending users’ seed phrases in plain text to third-party servers.

Twitter user Warith Al Maawali, who first discovered the vulnerability, claims to have found out about it after losing large amounts of cryptocurrency after adding his recovery phrase to Coinomi. He wrote:

My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase.

The vulnerability itself sees the cryptocurrency wallet send users’ seed phrases as non-encrypted plain text to a Google-owned, over a spell check function. Using software that allows the monitoring and debugging of HTTP/HTTPS traffic on applications, Maawali found out about the activity.

To verify the threat, he noted on a website dedicated to the incident that all users have to do is “simply paste any random sentence with [a] spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page.” The result, he wrote, is that the error will be underlined in red, after being sent to Google for a spell check.

On Twitter, security researcher Luke Childs published a video showing that Coinomi was indeed sending its users’ seed phrases to Google.

Maawali believes his funds were stolen by someone with access to the traffic, or by someone at Google who noticed the seed phrase. The researchers added that other Coinomi wallet users have reported seeing their funds disappear.

Coinomi’s Response

Before making the vulnerability public, Maawali claims to have reached out to Coinomi explaining the situation. Per his words, the team behind the wallet “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”

Maawali claims Coinomi “kept reminding” him in a threatening way of “the legal implications” of disclosing the vulnerability. He noted they shouldn’t forget about the legal implications of his funds, now gone.

Luke Childs has notably in the past disclosed a vulnerability Coinomi had. The vulnerability transmitted its users’ transactions unencrypted to Electrum servers, without using standard security technology. At the time, the developers reacted defensively, criticizing Childs claiming he spread fear, uncertainty, and doubt (FUD).

Maawali advised those using Coinomi to secure their funds as soon as they can:

To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later

Available data shows the Coinomi wallet isn’t open-source, meaning its code isn’t available to the public. Some in the crypto community believe these wallets should be avoided, as they can contain hidden security vulnerabilities.

Decentralized Crypto Exchange Bisq Exploited for $250,000 in BTC and XMR

Decentralized cryptocurrency exchange Bisq, which allows for peer-to-peer trading, has halted trading on Tuesday after uncovering a “critical security vulnerability.”  The vulnerability led to the loss of at least $250,000 in BTC and XMR.

At the time the exchange didn’t go into the situation, but merely advised users to not make any transactions. It used an alert key functionality to halt trading, but as it’s a decentralized exchange it can be bypassed by users.

About 18 hours after initially halting trading, Bisq revealed it was exploited by a hacker who managed to steal “approximately 3 BTC and 4000 XMR” from seven different users on the platform. The only affected market was the XMR/BTC one, and affected traders occurred over the past 12 days, Bisq revealed.

The vulnerability was created after an upgrade meant to help further decentralized the platform, by removing arbitrators with a third key in the multisig escrow used when trading funds. The arbitrators were replaced with mediators and arbitrators with no keys in the escrow, and to make up for the removal of a trusted third party, Bisq moved BTC trade funds to a so-called “donation address” after a time limit in order to solve abandoned trades.

Per the exchange, a flaw in the way the traders were carried out allowed a hacker to change the address the funds would be sent to for his own, netting around $250,000 in crypto.

This donation address is set by the Bisq DAO and approved by DAO stakeholders. Bisq software did not verify that the payout address for trades was actually the Bisq donation address set by the DAO before signing and sending the time-locked payout TX to the trade counterparty.

On Bisq’s forums, users pointed to a bitcoin address the funds moved through, which has seen a total of 19.6 BTC ($143,000) flow through it. Blockchain data shows the funds have since then hopped through various addresses, likely to conceal their origin and throw off sleuths.

Bisq’s DAO, the exchange’s funding mechanism, is reportedly going to create a proposal to repay the seven known victims of the hack using future trading revenues.

Featured image via Pixabay.