Offering latest cryptocurrency, bitcoin news
Image default
Blockonomi Finance Technology

Vulnerability in Coinomi Wallet Revealed – $60K in Crypto Allegedly Stolen

The London-based cryptocurrency wallet Coinomi has yet again found itself in a security scandal. A cryptocurrency security expert claims that the wallet’s service sends sensitive information of users’ accounts to its servers in an unencrypted form which allows hackers to intercept the data and gain access to said accounts. The security consultant now publicly warns his followers to not buy cryptocurrency using the wallet.

An expert crypto strategist and security consultant Warith Al Maawali claims to have found a vulnerability in the desktop version of Coinomi wallet that can potentially result in theft of funds from users’ accounts. Al Maawali explained publicly that the service sends wallet seed phrases in unencrypted form to the servers which can grant access to an account if the data is intercepted by someone listening in between the transaction. The security consultant also claims to have lost approximately $60,000 worth of cryptocurrency due to this vulnerability.

A wallet seed phrase is a backup information that can be used to recover a crypto wallet. Many crypto wallets including Coinomi use a 12-word seed-phrase that is used to recover a wallet that has been lost due to hard drive corruption, damages to the computer or when a user forgets the PIN code, or when the funds need to be transferred to a new device. Suffice to say, this array of special characters is very sensitive and powerful if used maliciously.

Extracted from Al Maawali’s demonstration.

Al Maawali showed that when the Coinomi wallet sends the user-entered passphrase to a server-side spell check function to identify typos, the phrase is sent in simple text format or in an unencrypted form. If a hacker is monitoring the data being sent to the servers, he can intercept these data packets and can use it right away for malicious purposes.

Coinomi issued an official statement, an hour after the accusation was posted, that explains their side of the story and ensures that the claims are not entirely true. According to the statement, Coinomi engineers confirmed that the spell check function is being used on the desktop application of the wallet but claimed that all the seed phrases are not sent unencrypted for this function.

Al Maawali’s accusation also included a very serious point that an employee of the company could have known of this vulnerability and could have been the one who stole the funds from the security consultant’s wallet. Coinomi stated that the passphrases are not processed, cached, or stored on the servers, which makes it impossible for an employee to identify or steal the seeds.

Ultimately, the company said that the issue was not caused by faulty programming, but by a bad configuration option in a plug-in being used by the desktop version of the wallet. Coinomi says that the problem was identified instantly and all desktop versions were patched immediately.

While the company claims that it wasn’t “exactly” their fault and that the Coinomi wallet’s desktop applications have been patched, we would recommend you to use secure wallets to buy bitcoins, Ethereum, or other cryptocurrencies.

Related posts a market for influencer marketing

Dickson Dickson

Here Is How You Can Send ERC20 Tokens From A Ledger Nano S (Using MyEtherWallet)

Dickson Dickson

Jihan Wu to Step Down as CEO of Bitmain, Taking On Limited Role

Eve Frost