A likely vulnerability shows how easy it is to get bitcoins stolen On the coinomi cryptocurrency platform
A likely vulnerability shows how easy it is to get bitcoins stolen
On the coinomi cryptocurrency platform
by Jonathan, News columnist
With the possibility of gains that can be made by taking advantage of the upward variations of bitcoin, companies and individuals do not hesitate to embark on the adventure by investing their assets in this cryptographic currency. Coinomi is an online cryptocurrency wallet for both mobile and desktop computers. It offers a place for storage, management and secure exchange of Bitcoin and other encrypted currencies. It currently has over half a million downloads on Google Play Store. Its website indicates that it has never been hacked or otherwise compromised to date, but a so-called discovered vulnerability now casts doubt on this claim.
On February 22, Warith Al Maawali, a computer security consultant, contacted Coinomi's technical support about a security breach in his office wallets. In cryptocurrency, a private key is called the passphrase or passphrase of a digital asset portfolio. If the private key is lost, it can not be recovered and the fund stored there is permanently lost. According to Al Maawali, this flaw compromised the private key of his wallet by the fact that Coinomi's integrated spell checker automatically checked his passphrase.
This audit involved sending his passphrase as plain text to a Google website, suggesting that this data transfer could have been intercepted. Al Maawali claims to have lost between $ 60,000 and $ 70,000. To reach this conclusion, the computer security consultant conducted his research: first, he installed and started the application Coinomi and his first remark was that the unsigned version of the application had a backdoor. He then conducted a further investigation and compared the unsigned version of the installation file with the one signed. The only difference is that they (the Coinomi developers) have added a digital signature to the main executable file.
So he started to replicate what he was doing in a new virtual machine, but this time he installed Fiddler, a software that allows you to monitor and debug HTTP / HTTPS traffic from all running applications. on your machine. Then he began to monitor the traffic by running Fiddler in the background, and then started the Coinomi application. This is how he was able to see that his passphrase was sent as plain text to Google's spell checker. This allowed anyone with the necessary skills (Google employees not being excluded) to intercept this passphrase.
Coinomi responded to these allegations by saying that the spellchecking feature was enabled for office wallets, but that the passphrase was not sent in plain text. According to Coinomi, the passphrase was encapsulated in an HTTPS request with Google as the only recipient. Coinomi added that Google has not processed, cached or stored requests.
Al Maawali has indicated that he intends to bring legal action against the company behind Coinomisi it does not act to assume its responsibilities. It also warns other users that it is possible that all versions of the desktop application may be affected, although it is not certain that mobile versions are available. He even made a video link / https://avoid-coinomi.com/files/coinomi_http_traffic_video.mp4 n which he reproduces the steps taken to prove that the vulnerability exists.
It is possible that the vulnerability is real, but some believe that there is not enough evidence to say with certainty that it is the cause of the alleged disappearance of funds. But all this history will at least have the merit of having once again, made understand to the providers of wallets of encryption, that they must think differently with regard to security.
Source: Al Maawali Report
And you ?
Do you know that the methods used in this experiment are sufficient?
Do you think like Al Malawi that Google's spell checker is the real vector of attack?