Cryptocurrency storage application Coinomi Wallet has refuted recent claims that its software was coded to send unencrypted wallet recovery seed phrases to Google’s spell check servers. The claims were denied in an official statement posted on Medium on Wednesday, February 27.
Coinomi clarified that seed phrases “weren’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets,” and that if they were sent, they were encrypted and “encapsulated inside a HTTPS request with Google being the sole recipient.”
Our official statement on the spell-check findings: https://t.co/o7Fmhn2FoI
— coinomi (@CoinomiWallet) February 27, 2019
Additionally, “the spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”
Still, Coinomi did acknowledge that this was a problem, one that was likely caused by a poor configuration in plug-in software that operates as part of the Coinomi wallet desktop application.
Allegations, Threats, and Blackmail
The claims were originally publicly made against the company came from one Warith Al Maawali, a man who said that a Coinomi wallet had been hacked because of the vulnerability. Maawali created a support request on Coinomi’s board describing the claims in detail; he also seems to have created Avoid-Coinomi.com, a website that also contains descriptions of the vulnerability as he sees it.
Coinomi is said to have immediately flagged the post as ‘high priority’ and to have launched an investigation into the matter. Despite this, however, Coinomi COO Angelos Leoussis explained on the company’s Telegram channel that Maawali persisted in “threatening, swearing, and blackmailing us for insane amounts.”
Unfortunately for Coinomi, Maawali’s claims spread like wildfire over the web. At the time of writing, a number of crypto-centric news publications, including DecryptMedia, Ethereum World News, and Bitcoin Exchange Guide have reported on Maawali’s claims without including Coinomi’s defense.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof. Credit goes to @warith2020 for finding the issue, read more from him here: https://t.co/tCZ0hDPyJ3 pic.twitter.com/hdaPOb84A9 — Luke Childs (@lukechilds) February 27, 2019
CoinTelegraph reported that before Maawali went public with his allegations, he requested that the company refund him the cryptocurrency that had allegedly been stolen from him, threatening that if they failed to do so, he would have “no choice other than reporting this in social media.” However, Maawali would not provide Coinomi with the details of his claims.
Coinomi proceeded by asking Maawali for more information on the alleged vulnerability. Maawali is said to have responded by saying that he wouldn’t give any details until he was guaranteed payment.
Let the message be clear, we do not negotiate with blackmailers.
Here is the full Helpdesk correspondance with @warith2020 (a blackmail gone wrong): ? https://t.co/N8cogTK8nu ? — coinomi (@CoinomiWallet) February 27, 2019
Even so, Coinomi reportedly reported the allegedly stolen assets to Chainalysis, so that the funds will be blacklisted, and therefore will not be accepted by any exchange.
Regardless of whether or not Coinomi's alleged vulnerability actually led to the theft of Maawali's assets, the debacle has served as a reminder that software wallets can be risky.
Indeed, Ledger CEO Eric Larchevêque told Finance Magnates in an email that “the Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack. Simply put, Cold Storage on a hardware wallet is the only way for investors to ensure complete security of their private keys.”
Finance Magnates reached out to Coinomi but had not received a response at the time of publication.