Coinomi Wallet Seed Phrases Vulnerability Exposed; User Funds May Be at Risk

Wallet generation on Coinomi prone to security lapse as analysts discover unencrypted seed phrase sent to Google’s spellcheck API.

A security analyst discovered a worrying vulnerability in the Coinomi wallet, potentially exposing the seed phrase during wallet generation. According to tests, the Coinomi wallet sent the 12-word seed phrase in plain, unencrypted text to the Google spell check API, thus making the wallet and funds in it potentially insecure. An affected user explored the issue, also contacting the Coinomi team a day before the disclosure to all social media.

https://twitter.com/warith2020/status/1100545569636917248

There are also suggestions that the information from wallet generation may already be intercepted, leading to losses for some users:

https://twitter.com/cointastical/status/1100702345787260931

In a longer Reddit explanation, a user that lost up to $70,000 in crypto holdings explains that importing a passphrase into Coinomi led to the wallet being exposed and exploited. The immediate appeal was made for all Coinomi users to move funds and switch to a new wallet.

“So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!),” user Warith77, the discoverer of the hack, stated in a Reddit thread.

The Coinomi wallet team has not commented on the issue yet. While a seed phrase is extremely hard to crack once encoded, there are other possibilities for exposure and fund theft for any user generating or importing a seed phrase.

The Coinomi wallet is widely used, with more than 15,000 downloads from the Google Play store. All users are potentially exposed to the vulnerability, as their seed phrases could be present in log files on Google servers, in plain text. So far, beyond Warith77 (or @warith2020), there are no other signals of losses. The user also suggests that the data transmitted to the Google API may also lead to malicious actors at the company stealing and exploiting the information.

“Be aware that probably all desktop versions are affected (I’m not sure about the mobile versions) and the guy/group who is/are capturing the passphrases, possibly targeting only wallets with decent amount of assets to stay low profile as long as he/they can,” commented the affected user.

Coinomi is a closed-source wallet, further hiding the vulnerability from users and testers, who cannot review the code. In the past, Coinomi users have also reported losses for unknown reasons and this security breach might present an answer.

Reading now