This post is also available in: Deutsch
A security vulnerability was discovered in the Coinomi wallet by a user that its developers claim attempted blackmail.
SECURITY VULNERABILITY@CoinomiWallet sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
— Luke Childs (@lukechilds) February 27, 2019
Coinomi, a multi-coin multi-platform cryptocurrency wallet, reportedly suffered a security vulnerability related to a Google spell checker API leaking recovery seeds. This vulnerability has since been patched, and reportedly only affected desktop versions of the wallet when restoring from a previous existing seed. Cryptocurrency security researcher Warith Al Maawali claimed loss of funds stemming from this vulnerability earlier this month, with security researcher Luke Childs publicizing it several days later.
Coinomi has since released an official statement on the vulnerability, clarifying the vulnerability details and scope. Additionally, Coinomi claimed a ransom of 17 Bitcoin was demanded by Maawali, while casting doubt on his claim of funds being stolen:
“During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatened to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him and couldn’t have been hacked…”
Later in the post, Coinomi more clearly categorized Maawali’s communications with them as blackmail attempts:
“Going forward it should be noted that we are not negotiating with blackmailers and that we are totally open and transparent with the crypto community which we have been serving day and night for the past 5 years.”
A strained history between Coinomi and security researchers
Coinomi has experienced friction with security researchers in the past, famously sparring with some of the same individuals involved in the most recent vulnerability surrounding a disclosure in 2017. Then, a vulnerability leaked the wallet’s public addresses in plain text format, a privacy compromise which Childs brought up on GitHub before taking it public a week later, prompting Coinomi to respond harshly, claiming that as a result users “have now turned to inferior and insecure alternatives because of your FUD.” In an allusion to the first incident, Coinomi again singled out Childs for his involvement in publicizing the latest vulnerability:
“Just like today, back in 2017 Luke Childs and Jonathan Sterling acted totally irresponsibly by disclosing their findings in public before making sure that we are aware of them (they never opened a ticket with our Support, the only formal way of contacting us back then). This could have set Coinomi users’ funds at risk if their security claims were true.”
Coinomi closed out the criticism with an ominous message about the security researchers involved:
“After the dust settles we all need to remember the names of those who chose self-assertion over general public safety and acted irresponsibly.”
The constant struggle for greater security benefits from community participation and bug bounties
With a constantly shifting technological landscape, security issues remain at the forefront of cryptocurrency, with an ever-evolving landscape of potential threats. A strong developer community, as well as strong relationships with security researchers, can prove instrumental to a fortified and secure project. Additionally, bug bounty programs, such as the Bugcrowd program for Dash, provide specific incentives for researchers to dedicate time and resources to discovering issues, and mitigates the threat of blackmail by researchers seeking to profit from disclosures.