Coinomi is facing an avalanche of criticism after being accused on February 27, 2019, of sending passphrases to googleapis.com, leading to the loss of over $70,000.
Where’s the Money?
In the past, crypto owners have lost funds due to errors made on the part of service providers such as the case of QuadrigaCX of for wallets vulnerabilities that affect users such as the Trezor wallet users.
Now, Coinomi, a crypto wallet provider, is being called out for apparently having a flaw that lost one user tens of thousands of dollars, reported on February 27, 2019.
The story first broke when Reddit user u/warith77 took to the site to call out Coinomi after they refused to take responsibility for the loss of roughly $70,000 after their passphrase was exposed to third-parties.
According to u/warith77, he had first installed the Exodus wallet into the Coinomi application to move some assets not supported by the Exodus wallet on February 14, 2019, but it was not digitally signed. On February 22, 2019, they discovered that 90 percent of this his funds, which included bitcoin, ether, and litecoin, had been stolen.
They immediately began an investigation into the matter and discovered that the fault was on the side of Coinomi. The Coinomi‘s “Restore Wallet” textbox reportedly forwarded their passphrase to googleapis.com to conduct a spellcheck. u/warith77 believes that this is how the information was leaked and his funds stolen.
A Helping Hand?
u/warith77 has since vowed to take legal action against Coinomi if they do not take responsibility for the $70,000 Stolen, which they report were their life savings. They also said that their reaction was far from supportive.
“Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation,” they wrote, adding that they were subtly threatened by the team about the legal implications of his going public with the information they possessed.
Since the news broke, social media aired its opinions and findings. Twitter user Luke Childs tweeted a video that appears to confirm the story.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
— Luke Childs ☂️ (@lukechilds) February 27, 2019