A Coinomi user has released details on a vulnerability that impacts the cryptocurrency wallet's desktop app. According to user Warith Al Maawali, the vulnerability sends a user's private key to Google's spellchecking service in plain text.
Al Maawali explains that Coinomi's desktop wallet has a textbox for app users to recover their wallet. This textbox is an HTML file powered by a Chromium browser component and any text typed into that textbox will be sent to googleapis.com in the form of an HTTP request for spell checking.
Any user who can access this HTTP request will be able to read the contents of that textbox, which in this case was Al Maawali's private key linked to $60k-$70k worth of cryptocurrencies.
Exposed private keys
Following Al Maawali’s public disclosure, the Coinomi team released an official statement addressing the vulnerability. According to Coinomi, the vulnerability wasn’t found in the firm’s “source code but instead was a bad configuration option in a plug-in used in Desktop wallets only.” Additionally, the vulnerability was patched immediately on Feb. 22. Coinomi also clarifies that the private keys were “encapsulated inside a HTTPS request with Google being the sole recipient” and that “the seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets.”
Coinomi’s team also claims that it has “zero reports of hacked Desktop wallets so far other than Warith Al Maawali’s” and alleges that the keys were “possibly still controlled by him.”