Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Technology

Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker (zdnet.com) 75

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.
This discussion has been archived. No new comments can be posted.

Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker

Comments Filter:
  • by itsme1234 ( 199680 ) on Wednesday February 27, 2019 @01:17PM (#58189562)

    "The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

    'nuf said. Surely there are more wrong things wrong with that...

    • by cascadingstylesheet ( 140919 ) on Wednesday February 27, 2019 @01:22PM (#58189588) Journal

      "The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

      'nuf said. Surely there are more wrong things wrong with that...

      Collecting passwords in a browser form field is fairly common, and not wrong.

      Spellchecking passwords? With a third party service? Sending in cleartext? Yeah, that's screwy ...

      • by Anonymous Coward

        Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn’t sent as plain text, it was “encapsulated inside a HTTPS request with Google being the sole recipient.” It added that Google did not process, cache or store the requests. The issue was fixed six days ago.

        A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. H

        • by Luthair ( 847766 )
          Even after sent to Google, you'd need a MTIM who somehow knew that to look at the contents of translate and know that it was for Etherum. Seems pretty far fetched.
      • Collecting passwords in a browser form field is fairly common, and not wrong.

        This is not "a browser" ... or at least SHOULD NOT be, it is an app that would in principle exist in the very same form (at least from what I can see in the demos) even if the web was never invented. However it is/it does come with its own browser (like many other things nowadays!) - heck it's bigger than my first HARD DRIVE!

        • Collecting passwords in a browser form field is fairly common, and not wrong.

          This is not "a browser" ... or at least SHOULD NOT be, it is an app that would in principle exist in the very same form (at least from what I can see in the demos) even if the web was never invented. However it is/it does come with its own browser (like many other things nowadays!) - heck it's bigger than my first HARD DRIVE!

          Plenty of apps use HTML/CSS/JS as the UI.

          That's not what's wrong with it, security-wise.

        • It is technically a browser. https://electronjs.org/ [electronjs.org] This setup and environment uses a headless Chromium to basically be the application. One of the biggest projects that use this is Discord; it doesn't say Coinomi is in here https://electronjs.org/apps [electronjs.org] or Coinomi's webpage but it's possible. And considering Chrom(e)ium checks spelling on textfields this may have been unintentional since the browser has this feature but was accidentally trying to check the password field.

      • by Bongo ( 13261 )

        Oops, looks like I misspelt xg3/qqKsB-2zl

      • by AmiMoJo ( 196126 )

        It is screwy, and I know it's a minor thing, but can we be a bit more careful with the headlines?

        "Caught" implies they were doing it deliberately and trying to conceal the fact. This doesn't seem deliberate, just incompetent.

        • "This doesn't seem deliberate, just incompetent."

          Sufficiently advanced incompetence is indistinguishable from malice.

  • Pssword123 (Score:5, Funny)

    by Oswald McWeany ( 2428506 ) on Wednesday February 27, 2019 @01:18PM (#58189574)

    Psword123

    Did you mean "Password123"

  • by mattyj ( 18900 ) on Wednesday February 27, 2019 @01:20PM (#58189580)

    A system of made-up currency run by any number of idiots in their virtual garages is shady? What? How could this possibly be?

  • Comment removed based on user account deletion
  • by Anonymous Coward
    Annonymous Coward's password strength verifier!

    Here's a example of how it works:
    you : hey is this password strong?
    ACpsv : and you are?
    you : Joe Bloggs
    ACpsv : what site is this for?
    you : Fidelity.com
    ACpsv: yeah, sure, it's good.
  • Everyone knows that you need to send the password over SSL to your own back-end service first before you send it to Google Spellcheck in clear text!

"Pok pok pok, P'kok!" -- Superchicken

Working...