Coinomi’s crypto wallet is branded as “your trusted blockchain interface” offering a place to “securely store, manage and exchange Bitcoin” and other cryptocurrencies. Its website states it has never “been hacked or otherwise compromised to date.” But an alleged security vulnerability now puts that claim in doubt. We have contacted Coinomi but have not heard a response by press time.
A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. He argues that Coinomi’s built-in spell checker automatically checked his seed phrase which involved sending it as plain text to a Google-owned website. This meant it could have been intercepted, leading to the loss of funds. There have been other similar claims on Reddit. While it’s difficult to verify if these claims are true, it does highlight a bigger vulnerability: seed phrases and the dangers of entering them on computers connected to the internet.
Al Maawali told Decrypt he used his Ethereum seed phrase in the Coinomi wallet to access Ethereum-based tokens that he owned but were not supported by the Exodus crypto wallet which he was already using. He said everything worked okay at first as the tokens showed up but then a few days later, the wallet was emptied.
Due to this, he did some research and found what he believes is a critical vulnerability within the Coinomi wallet. At the point where you enter your seed phrase, it is processed through a spell checker. This means the whole seed phrase is sent in plain text to a Google-owned website. He has uploaded a video for anyone to replicate the process and see that the vulnerability exists.
Programmer Martin Habovštiak confirmed on Twitter that the vulnerability is real but argued that there might be more a more nefarious reason for the loss. Habovštiak believes it was more likely the money was stolen via malware, or Maawali sent the coins to another account he owns to make it look like they were stolen and is trying to double his money.
However there have been other reports of funds disappearing on the Coinomi wallet—which isn’t uncommon for any software wallet. There are two posts on Reddit by users who claim their funds have disappeared from the Coinomi wallet. Although neither specify that they imported their seed phrase into the wallet.
Al Maawali also provides screenshots of a conversation he claims to have had with Coinomi support in which they appear to accept the vulnerability exists but deny that it was responsible for the loss of funds. This conversation has not been independently verified.
This issue flicks at other issues facing Coinomi. Luke Childs, a developer of open-source software accused the app of lacking necessary encryption measures when sending user information. A blog post by Jonathan Sterling, co-founder of Coin Flow, goes into more detail on the issues, providing screenshots of tweets allegedly from Coinomi dismissing the claims.
While there is evidence that the exploit is real, it is much harder to verify that it was the reason the funds were stolen. There are many other possibilities of how the money was taken including malware or vulnerabilities in other crypto wallets—if it was even stolen. But this vulnerability proves that crypto wallet providers need to think outside the box when it comes to security, but not too much.