When creating and recovering wallets, it’s vital that you get the spelling correct, but one wallet provider has taken spelling one step too far. Coinomi has been caught sending unencrypted seed phrases to the Google spell check API, meaning your seed phrases are logged in a Google cache somewhere. This is incredibly dangerous, and one Coinomi user is trying to sue the company for the loss of $70,000 in various cryptos because of this leaked seed phrase.
No Hackers Have Taken Advantage
Despite the fact that Coinomi is openly sending seed phrases to the Google spell check API – and presumably has been doing so since it launched in 2014 – this is the first reported time that someone has lost their crypto when using the wallet. With the seed phrases so easily accessible, you would have thought hackers were having a field day – perhaps crypto thieves didn’t think Coinomi would do such a silly thing? All this could change now that the news has broken. The race is on for Coinomi to patch this issue before hackers take full advantage of it and empty people’s wallets.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
Credit goes to @warith2020 for finding the issue, read more from him here: https://t.co/tCZ0hDPyJ3 pic.twitter.com/hdaPOb84A9
— Luke Childs (@lukechilds) February 27, 2019
Throwing a Spanner in the Works
Crypto holders are being encouraged to get their crypto away exchanges and into cold wallets. Dubbed Proof of Keys (PoK), the movement has gained huge amounts of followers and widespread media coverage. However, the news that Coinomi is releasing seed phrases to the world could throw a spanner in the works of the PoK movement. If holders are afraid that their wallet is going to leak their keys and risk losing their crypto anyway, they are more likely to leave it on an exchange where the exchange has insurance to cover these thefts.
Electrum Scaring Users
It’s not been a good couple of weeks for the wallet world, as Electrum started throwing up false positives for being a trojan virus. Electrum is one of the most popular crypto wallets out there, and this false positive reading struck fear into the hearts of crypto holders around the world. Fortunately, the warning was quickly identified as a false positive and users could carry on using the wallet without any fear. Hopefully, Coinomi is in a similar situation and it does in fact encrypt the seed phrases before it sends them off.
Crypto wallets are the difference between risking everything by leaving your crypto on an exchange and sleeping peacefully with your crypto locked away. It comes as no surprise that the crypto community is outraged by Coinomi, but hopefully we see a patch for this bug go live soon. If you have a wallet at Coinomi, it’s recommended that you move your tokens elsewhere for the time being – just to be on the safe side.