Security Alert: Crypto Wallet Coinomi Reportedly Sending Seed Phrases to Google

Francisco Memoria

Multi-asset cryptocurrency wallet Coinomi reportedly has a major security vulnerability, as it has, according to various security researchers, been sending users’ seed phrases in plain text to third-party servers.

Twitter user Warith Al Maawali, who first discovered the vulnerability, claims to have found out about it after losing large amounts of cryptocurrency after adding his recovery phrase to Coinomi. He wrote:

My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase.

The vulnerability itself sees the cryptocurrency wallet send users’ seed phrases as non-encrypted plain text to a Google-owned, over a spell check function. Using software that allows the monitoring and debugging of HTTP/HTTPS traffic on applications, Maawali found out about the activity.

To verify the threat, he noted on a website dedicated to the incident that all users have to do is “simply paste any random sentence with [a] spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page.” The result, he wrote, is that the error will be underlined in red, after being sent to Google for a spell check.

On Twitter, security researcher Luke Childs published a video showing that Coinomi was indeed sending its users’ seed phrases to Google.

Maawali believes his funds were stolen by someone with access to the traffic, or by someone at Google who noticed the seed phrase. The researchers added that other Coinomi wallet users have reported seeing their funds disappear.

Coinomi’s Response

Before making the vulnerability public, Maawali claims to have reached out to Coinomi explaining the situation. Per his words, the team behind the wallet “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”

Maawali claims Coinomi “kept reminding” him in a threatening way of “the legal implications” of disclosing the vulnerability. He noted they shouldn’t forget about the legal implications of his funds, now gone.

Luke Childs has notably in the past disclosed a vulnerability Coinomi had. The vulnerability transmitted its users’ transactions unencrypted to Electrum servers, without using standard security technology. At the time, the developers reacted defensively, criticizing Childs claiming he spread fear, uncertainty, and doubt (FUD).

Maawali advised those using Coinomi to secure their funds as soon as they can:

To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later

Available data shows the Coinomi wallet isn’t open-source, meaning its code isn’t available to the public. Some in the crypto community believe these wallets should be avoided, as they can contain hidden security vulnerabilities.

Privacy Features Are Going To Change Ethereum For Good

Michael LaVere
  • Ethereum developers are working towards completely private transactions
  • Rise of Facebook coin and regulatory pressure makes privacy more necessary than ever

Privacy has become a buzzword in the industry of cryptocurrency and ethereum developers are beginning to recognize its importance.

Vitalik Buterin on Ethereum Privacy Features

Ethereum has been frequently headlines in 2019 over its slow transition to ETH 2.0. The Constantinople upgrade represents a first of its kind: a non-hard fork, massive overhaul that will shift ethereum’s algorithm from proof-of-work (PoW) to proof-of-stake (PoS).

Security features have likewise become a focal point in the transition.

In May, Ethereum co-founder Vitalik Buterin published a piece on HackMD claiming the network was in need of a step towards “more privacy.” Buterin proposed a feature for allowing ether users to obscure their activity on the blockchain in one-off transactions, calling his design a “minimal mixer” that relied upon “anonymity sets.”

Buterin further explained his idea in an email with CoinDesk,

“Anonymity set is cryptography speak for ‘set of users that this thing could have come from.’ For example if I sent you 1 ETH and you can’t tell who exactly it was from but you can tell that it came from (myself, Alice, Bob or Charlie), then the anonymity set has size 4. The bigger the anonymity set the more privacy you have.”

Development Focus For Ethereum

Blockchains provide public ledgers that allow for transparency--a concept that has been antithetical to anonymous transactions in the past.

However, the evolution of mixers and zero-knowledge proofs has created the opportunity for privacy on a platform like ethereum, while still maintaining the integrity of the blockchain.

Itamar Lesuisse, CEO of Argent, gave his support for increased privacy on ethereum, even in the ‘simplest’ of use cases,

“If you just look at the most simplest use case, if I say, ‘Hey Christine, can you send me ten dollars [worth of ether]? Here’s my wallet address.’ Now, you know how much money I have.”

Lesuisse continued,

“It’s so transparent, which is a great picture of blockchain, but for some users, it might scare them away to use it at scale.”

The Argent CEO and other developers are working towards the creation of tools that allow for private transactions, which they believe will lead to increased adoption. The blockchain team at Big Four auditor EY has also been active. Last month, the group released code on GitHub under the name ‘Nightfall,’ which provides a solution for enabling anonymous ether transactions.

According to the GitHub post, Nightfall integrates a set of smart contracts, microservices  and zk-snarks to enable ERC-20 tokens to be transacted on ethereum’s blockchain in “complete privacy.” While the code is still an experimental solution, it could provide ether users with privacy transactions to rival top anonymity cryptos like monero and zcash.

Privacy Needed More Than Ever

Two recent developments will enhance the need for privacy features moving forward. Social media giant Facebook is wading into digital currencies with the launch of libra, despite having been proven inept at securing user data in the past. In addition, the intergovernmental Financial Action Task Force (FATF) passed a controversial mandate on Friday requiring crypto exchanges to share user data.

Both could have the effect of pushing users towards privacy coins, in an effort to escape the increased centralization and regulation imposed on cryptocurrency.