Cryptocurrency wallet Coinomi has once again become involved in a security scandal, with a security consultant claiming to have found a vulnerability in the service. Allegedly, the service would send wallet seed phrases, the backup information needed to recover a crypto wallet, to servers unencrypted—allowing hackers to potentially intercept the data and steal a user’s funds.
Al Maawali, a “cryptocurrency strategist and security consultant” based out of Oman, claims to have found a vulnerability in the Coinomi desktop wallet. Like many other software wallets, it uses a 12-word seed-phrase to restore a wallet in cases where a user loses or damages their computer, or in some cases where a user forgets their pin or needs to transfer funds to a new device.
Maawali created a website explaining the exploit in detail after allegedly losing $60,000 to $70,000 in cryptocurrency from the exploit.
More technically, he details how passphrases are stored in plain-text, or in other words are unencrypted, before they are sent to Coinomi’s servers to perform a “spelling check function,” a feature that supposedly makes it easier for users to catch typos when entering their 12-word seed phrases.
— Warith Al Maawali (@warith2020) February 26, 2019
He documented the bug via video. At the time, the Coinomi Wallet team had already provided a few answers to Maawali’s accusations after he demanded compensation for his losses.
The entire conversation between Maawali and Coinomi was posted by the company on their Twitter page after the dispute escalated. According to Maawali, the exploit was due to a poor security implementation on Coinomi’s part. Meanwhile, the company responded that it does not “negotiate with blackmailers” after Maawali demanded for compensation for his losses.
Maawali also recognized that the security vulnerability could theoretically have been exploited by someone who has access to the requests sent to the server, such as an employee. Someone working at the database center that Coinomi was using could have identified the seed phrase and used it to access his crypto wallet to steal his funds, according to Maawali.
Two Sides to Every Story
A few hours after Maawali’s public accusations, London-based Coinomi released an official statement to address the claims.
According to Coinomi, the company’s engineers had confirmed that the spell check function was indeed enabled for desktop wallets but claimed that not all seed phrases were transmitted without encryption. Allegedly, the data was sent with encryption and was only sent to the cloud servers Coinomi was utilizing for its service.
Yet, Coinomi also emphasized that seed phrases were only transmitted when users chose to restore their wallet using the seed. Lastly, the company claimed that the data sent to the servers was not “processed, cached, or stored,” suggesting that it would be impossible for a server employee to intercept or locate the seeds.
Coinomi instead asserts that the spell check was actually implemented correctly. The cause of the hack, according to the company, was a “bad configuration”:
“Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only… All Desktop versions were patched immediately after we received the full disclosure, and we then started further exploring the implications by this issue in order to provide our users with the proper guidance and inform them on the course of action that needed to be taken, if any.”
Moreover, Coinomi claims that Maawali would not co-operate unless he was compensated:
“[He] refused to disclose his findings and kept [sic] threatened to take (the matter) public” unless payment of 17 BTC was made to compensate him for the allegedly stolen funds.
Let the message be clear, we do not negotiate with blackmailers.
Here is the full Helpdesk correspondance with @warith2020 (a blackmail gone wrong):
— coinomi (@CoinomiWallet) February 27, 2019
The company further emphasized that no other reports of compromised desktop wallets were brought to the attention of the company. As a result, the company is “investigating the authenticity of Maawali’s claims,” going as far as to say that the hack was “more likely… an infected host rather than Google [the server service] stealing these funds.”
That said, the company also claims that if it’s incorrect about its assessment of the incident then it will it will remedy the situation for those affected.
Coinomi and Other Controversies
Coinomi has experienced a similar incident in the past. In 2017, two users claimed that Coinomi’s Android App was powered by servers without encryption. Again, this meant that Bitcoin addresses that were broadcasted over the network without encryption, exposing them to theft. Both users also went public with the privacy flaw.
As always, theft and hacking appear to be a recurring problem in the cryptocurrency industry. Consequently, crypto users must remain diligent and choose which services they trust with their coins carefully.