The user under the warith nickname reported the loss of $ 60,000 - $ 70,000 after installing the Coinomi wallet from the official site.
“My main Exodus wallet did not support some assets and I decided to move them to Coinomi using the same seed phrase,” he writes.
A few days later, warith noticed that 90% of the assets — Bitcoins, ETH, ERC20, LTC and BCH tokens with a total value of up to $ 70,000 — were withdrawn from his Exodus wallet to various addresses. Only assets that were not supported by Coinomi remained in the wallet.
To understand the situation, warith tracked the traffic of the Coinomi application and found out that at the time of launch it downloaded a list of words from the dictionary.
“I entered a random seed phrase in the wallet recovery box and found that in the form of unencrypted text it was sent to googleapis.com for spell checking.
Everyone who is involved in technology and cryptocurrency knows that 12 random English words can be a seed phrase from a crypto wallet. Thus, someone from the Google team or someone who has access to HTTP requests sent to googleapis.com has discovered the code word. the phrase and used it to steal $ 60,000 - $ 70,000 in cryptocurrency, ”writes warith.
The user wrote a post about the incident on Twitter, but Coinomi only achieved evasive answers in personal correspondence. In this regard, warith is ready to file a claim with the company, “if it continues to avoid responsibility.”
After some time, a representative of Coinomi, in an interview with Trustnodes, reported that the detected vulnerability was eliminated and concerned only the desktop version of the wallet.
“Requests to Google were encrypted and incorrect, because of which they were not processed by Google. Spell check was carried out locally, ” - he said, promising that the company would soon prepare an official comment on the incident.
“My main Exodus wallet did not support some assets and I decided to move them to Coinomi using the same seed phrase,” he writes.
A few days later, warith noticed that 90% of the assets — Bitcoins, ETH, ERC20, LTC and BCH tokens with a total value of up to $ 70,000 — were withdrawn from his Exodus wallet to various addresses. Only assets that were not supported by Coinomi remained in the wallet.
To understand the situation, warith tracked the traffic of the Coinomi application and found out that at the time of launch it downloaded a list of words from the dictionary.
“I entered a random seed phrase in the wallet recovery box and found that in the form of unencrypted text it was sent to googleapis.com for spell checking.
Everyone who is involved in technology and cryptocurrency knows that 12 random English words can be a seed phrase from a crypto wallet. Thus, someone from the Google team or someone who has access to HTTP requests sent to googleapis.com has discovered the code word. the phrase and used it to steal $ 60,000 - $ 70,000 in cryptocurrency, ”writes warith.
The user wrote a post about the incident on Twitter, but Coinomi only achieved evasive answers in personal correspondence. In this regard, warith is ready to file a claim with the company, “if it continues to avoid responsibility.”
After some time, a representative of Coinomi, in an interview with Trustnodes, reported that the detected vulnerability was eliminated and concerned only the desktop version of the wallet.
“Requests to Google were encrypted and incorrect, because of which they were not processed by Google. Spell check was carried out locally, ” - he said, promising that the company would soon prepare an official comment on the incident.