The crypto wallet company Coinomi just released its preliminary findings after a user, Warith Al Maawali, reported losing his life savings of $60,000 to $70,000 in digital assets due to a flaw in the platform’s security.
In a post on Reddit, Al Maawali says that after his funds disappeared, he discovered the platform’s desktop wallet was sending users’ seed phrases (a string of words used to access crypto funds) directly to Google through an encrypted request.
“As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!”
Coinomi says it has fixed the issue, which is tied to a configuration problem with Google’s spell-check feature.
“The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient…
Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago – which is the same day we were contacted by Warith Al Maawali.
All Desktop versions were patched immediately after we received the full disclosure, and we then started further exploring the implications by this issue in order to provide our users with the proper guidance and inform them on the course of action that needed to be taken,