Cryptocurrency wallet provider Coinomi has responded to recent claims that the company's wallet software sends wallet recovery seed phrases to Google's remote spell checker servers in unencrypted text. According to Coinomi's Medium post, the spell check requests "returned an error (code: 400) as they were flagged as 'Bad Request' and weren't processed further by Google."
Exchanging a Few Words
Warith Al Maawali created the avoid-coinomi.com website after finding the alleged vulnerability in the Coinomi desktop wallet. Like other software wallets, Coinomi uses a 12-word seed phrase in the event a user needs to restore a wallet, forgets their pin, or needs to transfer funds to a new device. On his website, Maawali explains that, while restoring his Coinomi wallet on his desktop, his seed phrases were sent in "clear plain text" (unencrypted) to googleapis.com, a domain name owned by Google that acts as a spellcheck function. The feature is supposedly meant to make it easier for users to spot typos while entering in their seed phrases.
Maawali posted a video of the alleged vulnerability to the avoid-coinomi website. He claimed the bug resulted in $60,000 to $70,000 worth of cryptocurrency being stolen from his wallet by "someone from Google's team" or whoever had access to the Google server. As for how the alleged hacker knew the 12 words were a part of a wallet recovery phrase, Maawali states: "Anyone who is involved in technology and crypto-currency knows that a [sic] 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!"
Maawali alerted Coinomi to the supposed bug via email on February 22. The wallet provider then published the conversation that took place between Maawali and Coinomi. In the conversation, Maawali asked that Coinomi "refund the stolen amount of coins or their value in USD and consider it as a 'bug bounty reward' … otherwise I have no choice other than reporting this in social media." Coinomi then asked for a video call to be held for "KYC purposes," to which Maawali replied: "Tomorrow I am going live with this as well as sending a copy to the authorities I will let the authorities and public deal with you [sic]. All I am asking to get my funds back 65k-70k or 17 BTC in value." Finally, Coinomi took to Twitter to declare that the company does not "negotiate with blackmailers."
On February 27, Coinomi posted its official statement on Medium, addressing the vulnerability claim. According to Coinomi, the bug was a result of a "bad configuration option in a plug-in used in Desktop wallets only." The plug-in enabled the spellcheck function by default, and the team patched the desktop version of their wallet on February 22, the day Maawali first got in contact.
The statement also questions the validity of Maawali's theft claims, stating that Maawali repeatedly refused to disclose his findings and that the wallet could not have been hacked for three reasons:
"Coinomi Team never had access to these seed phrases or funds. No one else except for Google could read the contents of the encrypted packets that contained the seed phrases. Google rejected these requests … as they were badly formed (didn't contain a valid Google API key) and never actually processed them."
The statement notes that, with the patch to desktop wallets, Android and iOS users do not need to take any actions to secure their wallets, while desktop users just need to make sure they have updated to the latest patched version.
Responding to Coinomi's Response
With Coinomi's statement claiming outright that this issue could not have resulted in a loss of funds, MyCrypto founder and CEO Taylor Monahan took to Twitter to discuss the kind of language and tone used by Coinomi. In a series of tweets, Monahan criticized Coinomi's deflection of the claims made against its wallet software and its treatment of bug reporters. Eventually, MyCrypto posted its own statement on Medium, outlining positive and helpful steps to take in the event of a security incident.