The Coinomi wallet app has a serious vulnerability where it sends user passwords to Google’s spellchecking service in plain text. This can lead to man-in-the-middle (MitM) attack as the users’ accounts and their funds are exposed and the attackers can log into their account using the passwords and later drain money from it.
This flaw was discovered by an Oman-based programmer Warith Al Maawali while he was investigating the strage theft of 90 percent of his funds.
Al Maawali stated that during the Coinomi wallet setup, when users select a password or passphrase, the Coinomi app takes the user’s input inside the passphrase textbox and secretly sends it to Google’s Spellcheck API service.
The app comes integrated with various Google-centered features. The issue arises as the Coinomi team did not disable the automatic spellcheck feature in their wallet’s UI code. As a result, all their users’ passwords are getting leaked via HTTP during the setup process.
Those who can intercept web traffic from the wallet app can see the Coinomi wallet app passphrase in cleartext. By using this passphrase, the attackers can access the user’s wallet and all the cryptocurrency accounts associated with that wallet.
Al Maawali said that since only Coinomi-stored funds were stolen he believes that the hackers might have gained access to those accounts after gaining access to his Coinomi passphrase. He lost between $60,000 and $70,000 worth in different cryptocurrencies.
He has created a dedicated website where the issue is described and the trouble, he went through trying to get Coinomi to acknowledge the vulnerability. A proof-of-concept video has also been posted by him.
Earlier in 2016, the Coinomi Android app had an issue where the app was communicating with its backend servers via plaintext HTTP.
Coinomi, that provides multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, however did not respond to the issue.