Cryptocurrency Wallet App Coinomi Caught Sending User Passwords To Google's Spellchecker

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

this can happen post-hoc too

[goombah99]

Example, you use a simple java swing text box to input some data. Then a new revision of java comes out and boom the text box gets new capabilies such as auto-fill or spell check.

This exact scenario happened in one particular touch screen voting system in which the windows CE form boxes would remember the previous use of the form and fill it it. Unfortutaley it was filling it in with the previous voter's vote!
But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.

Even changing things seeming innocuous like font definition files can introduce unanticipated changes post hoc.

This is true of anything that uses either late binding, or an OS API.

But you would be crazy to not use safe and validated things to be a window manager. Rolling your own would likely introduce even more prospects for security hazards.

there isn't an easy answer.

Re: this can happen post-hoc too

[Anonymous Coward]

I don't have mod points but your scenario is enlightening and I'd never considered it before thank you.

Re:

[Anonymous Coward]

But it wasn't that the software designer overlooked this. When the software is written it did not do this. But after an update of the Windows CE it did.

The designer used fucking Windows for a voting machine. That's like saying a designer who made a bridge out of toilet paper didn't overlook anything because during construction it wasn't raining.

Re:

[jythie]

The thing that floors me in that story.. I used to work for a company that made touch screen based gaming systems, so something not nearly as important as voting machines.. and we were VERY meticulous about OS and library patches. An OS update like that should not be able to sneak up and have such an effect.

Re:

[140Mandak262Jamuna]

Heard the term "Good enough for government work!" ?

Re: this can happen post-hoc too

[c6gunner]

It's not just good, it's good enough!

Re:

[goombah99]

I can't tell you why they were sloppy but I can tell you a few things that might contribute.
first, voting systems have some rules they follow. It varies from state to state but typically you are not allowed to alter any code in these things within a certain number of months of the election. This has led, more than once, to situations where a known bug (e.g. overflows of vote counts, or vulnerabilities) exists in the code but they cannot legally patch it. FOr systems used in federal elections they are/were

Re:

[PPH]

Why would a password be sent to a spellcheck service?

Because you keep misspelling A#1b0Q^xK2-

Re:

[nukenerd]

My password passed the spell check because it's "password", so who's laughing now? If only you people would stick to plain English passwords and spelled them correctly there wouldn't be a problem.

Re:

[martinX]

Shut up, man, that's my password too. Stop telling everyone.

Re:

[MrLogic17]

If it's a BIP39 seed, it's a list of 12 randomly chosen, common words. A typo in the spelling of any of those words means it's not a valid seed-word. I can see someone thinking that checking the spelling of a word isn't a security issue, but do it 12 times in a row, and you've leaked the root key for a BTC HD wallet.

Just plain dumb.

Re:

[DickBreath]

The real crime here is that they don't send the password also to a grammar checking service.

The Important part missing from TF Summary

[itsme1234]

"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

'nuf said. Surely there are more wrong things wrong with that...

Re:The Important part missing from TF Summary

[cascadingstylesheet]

"The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser"

'nuf said. Surely there are more wrong things wrong with that...

Collecting passwords in a browser form field is fairly common, and not wrong.

Spellchecking passwords? With a third party service? Sending in cleartext? Yeah, that's screwy ...

READ BETTER - it is not sent in plaintext

[Anonymous Coward]

Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn’t sent as plain text, it was “encapsulated inside a HTTPS request with Google being the sole recipient.” It added that Google did not process, cache or store the requests. The issue was fixed six days ago.

A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. H

Re:

[Luthair]

Even after sent to Google, you'd need a MTIM who somehow knew that to look at the contents of translate and know that it was for Etherum. Seems pretty far fetched.

Re:

[itsme1234]

Collecting passwords in a browser form field is fairly common, and not wrong.

This is not "a browser" ... or at least SHOULD NOT be, it is an app that would in principle exist in the very same form (at least from what I can see in the demos) even if the web was never invented. However it is/it does come with its own browser (like many other things nowadays!) - heck it's bigger than my first HARD DRIVE!

Re:

[cascadingstylesheet]

Collecting passwords in a browser form field is fairly common, and not wrong.

This is not "a browser" ... or at least SHOULD NOT be, it is an app that would in principle exist in the very same form (at least from what I can see in the demos) even if the web was never invented. However it is/it does come with its own browser (like many other things nowadays!) - heck it's bigger than my first HARD DRIVE!

Plenty of apps use HTML/CSS/JS as the UI.

That's not what's wrong with it, security-wise.

Re:

[Shikaku]

It is technically a browser. https://electronjs.org/ [electronjs.org] This setup and environment uses a headless Chromium to basically be the application. One of the biggest projects that use this is Discord; it doesn't say Coinomi is in here https://electronjs.org/apps [electronjs.org] or Coinomi's webpage but it's possible. And considering Chrom(e)ium checks spelling on textfields this may have been unintentional since the browser has this feature but was accidentally trying to check the password field.

Re:

[Bongo]

Oops, looks like I misspelt xg3/qqKsB-2zl

Re:

[AmiMoJo]

It is screwy, and I know it's a minor thing, but can we be a bit more careful with the headlines?

"Caught" implies they were doing it deliberately and trying to conceal the fact. This doesn't seem deliberate, just incompetent.

Re:

[radarskiy]

"This doesn't seem deliberate, just incompetent."

Sufficiently advanced incompetence is indistinguishable from malice.

Pssword123

[Oswald McWeany]

Psword123

Did you mean "Password123"

I don't believe it

[mattyj]

A system of made-up currency run by any number of idiots in their virtual garages is shady? What? How could this possibly be?

Re:All currency is "made-up"

[Calydor]

Real-world currencies were originally backed by gold reserves and evolved from there.

Cryptocurrencies were originally backed by geeks going, "It'll be the next big thing!" and haven't evolved yet.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bryansix]

Actually, its backed by a lot of very complex math but go on.

Re:

[Calydor]

What is the value of the math itself as opposed to the value of the gold represented by real-world currency?

At its very core, the ENTIRE concept of crypto-currency boils down to saying, "It would be pretty cool if we could make this work." And yes, it would. But that alone doesn't give it intrinsic value, and it doesn't give it the critical mass it requires to be considered a true currency on a level with the dollar, euro, yen, hell even the bolivar is more of a real currency - although for how long is deba

Re:

[jythie]

That is less 'backed' and more 'implemented by'.

Re:

[jythie]

Going back further, gold as currency was also made up and took a leap of faith.... well, less a 'leap of faith' and more 'government will only accept taxes in gold and will only pay bills in the same'.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

a bright new business opportunity!

[Anonymous Coward]

Annonymous Coward's password strength verifier!

Here's a example of how it works:
you : hey is this password strong?
ACpsv : and you are?
you : Joe Bloggs
ACpsv : what site is this for?
you : Fidelity.com
ACpsv: yeah, sure, it's good.

What a Bunch of Idiots!

[organgtool]

Everyone knows that you need to send the password over SSL to your own back-end service first before you send it to Google Spellcheck in clear text!