Coinomi Wallet denied recent claims that its software sends wallet recovery seed phrases to Google’s remote spell checker servers in plain (unencrypted) text. The company refuted the claims in an official statement published on Feb. 27.
In the statement, Coinomi claims that, unlike what was reported, the seed phrase transmission was encrypted via SSL (HTTPS), with Google being the only recipient capable of decrypting the message.
Coinomi notes that the phrase was only transmitted if the user chose to restore his wallet and only on the desktop version. Finally, Coinomi states that the spell-check requests sent to Google were not cached or stored, since they were flagged as bad requests by the servers and were not processed further.
The cause of the problem was reportedly a bad configuration in a plug-in software contained in the desktop version of Coinomi wallets.
The company claims that on Feb. 22 Warith Al Maawali created a support request on their board regarding a vulnerability contained in their wallet which, according to Maawali, has led to a wallet being hacked, as he claims on the dedicated website AvoidCoinomi.
Coinomi purportedly flagged the request as high priority and investigated into the matter. The company COO Angelos Leoussis said on the firm’s official Telegram group that the user kept “threatening, swearing, and blackmailing us for insane amounts.”
While a video posted on AvoidCoinomi aims to demonstrate the alleged vulnerability, it appears to show that the option to decrypt HTTPS is selected in the software.
Leoussis shared an alleged copy of the conversation with Maawali with Cointelegraph, where the user suggests that the wallet contains a backdoor and declares:
“You have few hours to return my assets back or I will go public with all the the [sic] evidence against you.”
According to information shared with Cointelegraph, on Feb. 23 Maawali requested the company to refund the allegedly stolen crypto assets or their equivalent in dollars, stating that otherwise he has “no choice other than reporting this in social media.” Still, he did not share the details of his findings, saying that he will wait until the company shows its willingness to refund the allegedly stolen funds.
Per Leoussis , Coinomi responded that the company did not consider this to be a responsible disclosure and asked for details concerning the alleged vulnerability. Maawali seemingly responded to the request by stating that he will not disclose details without assurance of a refund.
On Feb. 26 Coinomi purportedly declared that the company will report the stolen assets to Chainalysis, which will blacklist the funds so no exchange will accept them.
In December 2018, researchers were reportedly able to demonstrate that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue hardware wallets. At the 35C3 Refreshing Memories conference researchers used several different strategies to attempt to compromise the wallets. The Ledger team also claimed that the alleged vulnerabilities discovered in its hardware wallets were not critical.