The major cryptocurrency wallet Coinomi is calling out the user who found a security glitch in their wallet after losing a hefty amount of money in the theft. The wallet has been called out on Twitter by users that the said user is actually protesting his losses and the wallet should claim responsibility.
Let the message be clear, we do not negotiate with blackmailers.
Here is the full Helpdesk correspondance with @warith2020 (a blackmail gone wrong):
— coinomi (@CoinomiWallet) February 27, 2019
Warith Al Maawali, an Oman based cryptocurrency, and coding activist revealed a major vulnerability in the cryptocurrency wallet Coinomi. The wallet is reportedly sending the secret seed phrases without any encryption to the third-parties. This vulnerability allows hackers and scammers to use this secret phrase passed on in simple text and steal cryptocurrency from the users.
Maawali has since pinned a tweet mocking the Coinomi wallet and is currently standing at a loss of about sixty to seventy thousand dollars ($60 – 70k). He claimed that the steal was made possible through Coinomi wallet and the handling of information by the wallet is the reason behind his losses.
Maawali has explained that the wallet is using a Google spell checker and sending their secret keys to the Google server. Anyone using an interception software can actually track the phrase and use it to steal the funds from the account.
Thailand based security expert Luke Childs has also confirmed in a Tweet and a video that the wallet is indeed sending this information supposed to be private to the third party server and the information can be intercepted.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
Credit goes to @warith2020 for finding the issue, read more from him here: https://t.co/tCZ0hDPyJ3 pic.twitter.com/hdaPOb84A9
— Luke Childs ☂️ (@lukechilds) February 27, 2019
A thorough read of the conversation made public by the wallet after Maawali went public reveals that the Coinomi staff had been stalling the user for days pushing him to the point that he would share his losses to the public. He requested a refund of his assets, however, the wallet administration would not agree to him despite having believed him he would receive the bounty. Yet, the wallet also claimed that the hack was not proved to be a Coinomi issue in direct contradiction to their bounty offer to the user.
