Coinomi wallet found to have a serious security flaw
The issue could allow for holdings to be grabbed without warning
Software developers have a daunting task. Checking code is never an easy responsibility, but it is extremely important to ensure that everything functions as intended. Nowhere is it more important than with security, especially when that security is protecting money. The security people working for Coinomi and its cryptocurrency wallet appear to have fallen behind in their responsibilities, allowing a gaping security flaw that could allow wallet users to lose their money in a matter of seconds.
A Coinomi user, Warith Al Maawali, discovered the flaw, pointing out that customer data is sent in plaintext. When a user creates an account and configures the wallet, the password is sent over non-secure channels to Google’s spellchecker, and it is along that path that a possible compromise could occur. It would allow someone to easily gain access to the wallet and could provide a hole that could lead to a man-in-the-middle attack.
Al Maawali asserts that he has lost funds from his wallet and, while he has not yet been able to prove that it was caused by the lax security, is confident that it was the reason. He reportedly lost between $60,000 and $70,000, but this has not been confirmed.
Al Maawali posted about the ordeal on Twitter and received a lot of feedback, including from Luke Childs. Childs is a security researcher and crypto enthusiast who was involved in an issue with Coinomi in 2016. At that time, he identified a problem with the company’s communication channels and tried to bring it to the attention of Coinomi representatives. He was repeatedly brushed off as the company tried to sweep the problem under the rug and refuse responsibility for the security flaw (that flaw also dealt with information being sent unencrypted and in plain text).
Childs was able to duplicate the problem Al Maawali found and substantiated his findings on social media. As was the case in 2016, Coinomi refused to take responsibility, asserting that it wasn’t a big deal. It said, “Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago …”
Coinomi tries to push the blame off on a bad plugin, but if its security experts had been doing their job properly, they would have now the default configuration of the plugin before it was installed – that’s how true developers operate.