In an official ‘announcement‘ published, Global Cryptocurrency wallet service provider ‘Coinomi wallet’ has denied the recent claims that its software sends recovery seed phrases to Google’s remote spell checker servers in simple unencrypted text.
Within the statement, Coinomi added that, alike what was reported , the seed phrase transmission was encrypted via SSL [HTTPS], with Google being the sole recipient capable of decrypting the message sent.
Coinomi stated that the phrase was solely transmitted if the user selected to revive his wallet and only on the desktop version. Finally, Coinomi states that the spell-check requests sent to Google weren’t cached or held, since they were flagged as bad-requests by the servers and weren’t processed any further.
The cause for the matter was reportedly a foul configuration in a plugin software contained within the desktop version of Coinomi wallets.
The company recently on 22nd Feb. claimed that Warith Al Maawali created a support request on their board concerning a vulnerability contained in their wallet that, as per Maawali, has led to a wallet being hacked, as he claims on the dedicated ‘web-site‘ Avoid-Coinomi.
Coinomi supposedly flagged the request as high priority and investigated into the matter. The corporate’s COO ‘Angelos Leoussis’ added on the firm’s official ‘Telegram Group’ that the user was “threatening, swearing, and blackmailing us for insane amounts.”
While a ‘video‘ revealed on ‘Avoid-Coinomi’ aims to demonstrate the illicit vulnerability, it seems to point out that the option to decrypt HTTPS is chosen within the software.
Leoussis shared an alleged copy of the conversation with Maawali, where the user suggests that the ‘digital wallet‘ contains a backdoor and declares:
“You have few hours to return back my assets or i will go public with all the the [sic] proofs against you.”
Earlier on 23rd Feb., Maawali requested the corporate to refund the allegedly purloined crypto ‘assets‘ or their equivalent in U.S.D., stating that otherwise he has “no option rather than reporting this in social media.” Still, he failed to share the outcomes of his findings, adding that he would wait till the corporate shows its willingness to refund the ‘hack‘ stolen funds.
According to Leoussis , Coinomi responded that the corporate failed to consider this to be a accountable disclosure and asked for details regarding the illicit vulnerability. Maawali apparently responded to the request by stating that he won’t disclose any further details without assurance of a refund.
Earlier on 26th Feb., Coinomi supposedly declared that the corporate will report the hacked assets to Chainalysis, which will blacklist the funds as no ‘exchange‘ will settle for them.
Even earlier in Dec. last year, researchers were reportedly able to ‘demonstrate‘ that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue hardware wallets. At the 35C3 Refreshing memories conference researchers used several other ways to compromise the ‘wallets‘. The Ledger team moreover, ‘claimed‘ that the illicit vulnerabilities discovered in its hardware wallets weren’t much of concern.