The crypto wallet company Coinomi just released its preliminary findings after a user, Warith Al Maawali, reported losing his life savings of $60,000 to $70,000 in digital assets due to a flaw in the platform’s security.
In a post on Reddit, Al Maawali says that after his funds disappeared, he discovered the platform’s desktop wallet was sending users’ seed phrases (a string of words used to access crypto funds) directly to Google through an encrypted request.
“As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!”
Coinomi says it has fixed the issue, which is tied to a configuration problem with Google’s spell-check feature.
“The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient…
Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago – which is the same day we were contacted by Warith Al Maawali.
All Desktop versions were patched immediately after we received the full disclosure, and we then started further exploring the implications by this issue in order to provide our users with the proper guidance and inform them on the course of action that needed to be taken, if any.”
Coinomi says it has had no other reports of users affected by the issue and says it doubts anyone at Google stole Al Maawali’s funds.
“During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatening to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the ‘hacked’ funds…
We’ve had zero reports of hacked Desktop wallets so far other than Warith Al Maawali’s, which however cannot be sustained by the underlying facts – there is still way to investigate the authenticity of his claim and if the funds were indeed stolen it was much more likely due to an infected host rather than Google itself stealing these funds. If the claim is proven to be false we will seek remedies to set things straight and to prevent their recurrence.”
Coinomi says the issue does not affect Android or iOS users, and desktop wallet users should update their client to the latest version, which fixes the issue.
You can check out Coinomi’s full report here.