Warith Al Maawali is unhappy about losing $60,000 to $70,000 worth of cryptocurrencies while storing it in a wallet that appeared to be safe. According to the Oman-based programmer, Coinomi wallet sent the passphrase of his account to a third-party server. This made his wallet vulnerable to attack and subsequently led to its hack.
Coinomi Wallet Sends Passphrase to Google API
In a report published by Warith Al Maawali, Coinomi’s wallet purportedly sent the 12 worded passphrase of his account to a spell checker on Google’s API. The phrase on being typed in the text box was sent to the API without the user’s knowledge. As a result, 90 percent of his funds (Bitcoin, Ethereum, Litecoin, and Bitcoin cash) which were held in the wallet was stolen.
While recounting on the event that led to the loss, Al Maawali said he had downloaded the app from the official Coinomi’s website on February 14. He had trusted the Genuity of the wallet because it was recommended by reputable websites. As such, the passphrase of the exodus wallet he had been using was inputted into it.
However, he noticed that after entering his passphrase, only the setup file of the app was signed, but the application itself was not digitally signed. He went ahead to contact Coinomi about the discovery, and the platform quietly replaced the app with a newer version. The latter version was signed both on the setup file and application.
Harm Has Already Been Done Despite Changes
Despite the changes that were made, it seems the harm had already been done. Al Maawali stated that days later, he discovered that his funds had been transferred to other wallets. Given that he knows when it comes to hardware manipulation, the programmer decided to make findings to ascertain how the hack may have occurred.
According to him, the only thing he recently did was to install the app. Besides, he recalls that there was an unsigned version which he believes had a backdoor. Al Maawali is also suspicious that the hack may have been carried out by an insider; someone who has access to the developer’s code.
In his own, own words:
Please note that this security issue cannot be exploited by anyone except by the people who created it or have control over the backend.
Coinomi Was Asked to Take Responsibility for the Loss
On the other hand, Al Maawali said he had only disclosed the details of the event after giving Coinomi over 24 hours to take responsibility for his losses. However, “they fixed the issue without notifying their users, and they kept procrastinating like scumbags to buy more time,” he said.
On February 27, a Reddit user also blamed Google for the loss of his EGEM cryptocurrency. The user claimed that his Google drive account was hacked and as such, the private keys which were stored in a text file were accessed. Nonetheless, there was no third party trace of logins into the account by a different IP, device, or location.