The London-based cryptocurrency wallet Coinomi has yet again found itself in a security scandal. A cryptocurrency security expert claims that the application’s service sends sensitive information of users’ accounts to its servers in an unencrypted form which allows hackers to intercept the data and gain access to said accounts. The security consultant now publicly warns his followers to not buy cryptocurrency using Coinomi.
An expert crypto strategist and security consultant Warith Al Maawali claims to have found a vulnerability in the desktop version of Coinomi wallet that can potentially result in theft of funds from users’ accounts. Al Maawali explained publicly that the service sends backup seed phrases in an unencrypted form to the servers which can grant access to an account if the data is intercepted by someone listening in between the transaction. The security consultant also claims to have lost approximately $60,000 worth of cryptocurrency due to this vulnerability.
A seed phrase is a backup information that can be used to recover a crypto wallet. Many crypto wallets including Coinomi use a 12-word seed-phrase that is used to recover an account that has been lost due to hard drive corruption, damages to the computer or when a user forgets the PIN code, or when the funds need to be transferred to a new device. Suffice to say, this array of special characters is very sensitive and powerful if used maliciously.
Al Maawali showed that when the Coinomi desktop application sends the user-entered passphrase to a server-side spell check function to identify typos, the phrase is sent in simple text format or in an unencrypted form. If a hacker is monitoring the data being sent to the servers, he can intercept these data packets and can use it right away for malicious purposes.
Coinomi issued an official statement, an hour after the accusation was posted, that explains their side of the story and ensures that the claims are not entirely true. According to the statement, Coinomi engineers confirmed that the spell check function is being used on the desktop application but claimed that all the seed phrases are not sent unencrypted for this function.
Al Maawali’s accusation also included a very serious point that an employee of the company could have known of this vulnerability and could have been the one who stole the funds from the security consultant’s funds. Coinomi stated that the passphrases are not processed, cached, or stored on the servers, which makes it impossible for an employee to identify or steal the seeds.
Ultimately, the company said that the issue was not caused by faulty programming, but by a bad configuration option in a plug-in being used by the desktop version of the wallet. Coinomi says that the problem was identified instantly and all desktop versions were patched immediately.
While the company claims that it wasn’t “exactly” their fault and that the Coinomi wallet’s desktop applications have been patched, we would recommend you to use secure wallets to buy bitcoins, Ethereum, or other cryptocurrencies.