Video Announcement

Overview

Coinomi was forced by the community (special thanks) and finally published an official statement regarding the incident and it can be found here (screenshot here):
https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

First of all, I wish they have sense of transparency and publish my responses in their social media channels like I always do so that the reader of both responses can judge and assess the situation.

I was expecting Coinomi’s official statement to be sloppy and incompetent but never thought it would be that bad. But again it’s clearly reflects the mentally behind their “never been hacked” wallet.

I will start responding to their official statement by quoting and screenshotting parts of their official response because as you know by now they have a bad habit of deleting their posts.

Coinomi’s Official Response

Starting with their announcement title:

Calling this horrible security issue as “findings” is quite misleading and running away from responsibility. Coinomi obviously don’t want (or like) to name the issue as a CRITICAL vulnerability. In fact, their vulnerability is something beyond CRITICAL. As a standard, usually vulnerabilities are ranked based on their severity: Low, Medium, High or Critical. I’m suggesting that the information security community should introduce a new rank and call it the “Coinomi Level”, the new highest level ranking.

Going to the next statement:

"The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient"

When I said that my passphrase was transmitted in plain text, I meant it reached Google API servers in plain text. Please make sure you know the difference between transmitting something in a secure tunnel (this is how HTTPS works) and between encrypting something before transmitting it.

For the sake of argument, imagine if they encrypted the passphrase first then sent it to Google. In such scenario even if you transmit that data through HTTP (not SSL/TLS) it would reach the destination encrypted. Nonetheless, that made me giggle for a while because it's like saying “we took all the security measures and transmitted your passphrase securely to Google” ouch!

“The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets”

That statement was hilarious and essentially they mean by that is “It’s not a vulnerability because the user chose to restore his wallet otherwise he would have been safe”. So as a Coinomi user you are not supposed to “restore your wallet” and that feature was there just to spell check your passphrase and make sure it matches Google’s dictionary.

"The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google"

That’s quite misleading because how can Google API server respond by “Bad Request” without knowing what you sent to it in the beginning! The screenshot that they captured showing Google’s web service response, is actually from the web application side. The web application won’t reply to the request unless it processes the data first and then determine whether it was a valid data or not.

In fact, it’s even much worse than what they think or trying to imply. Google API servers needs a valid API Key in order to use their API web service. But in Coinomi’s case they sent the request using invalid (unauthorized) API Key which made Google API server treat the request as a bad request. This will definitely alert Google’s team to investigate the cause of the bad request and see the 12 English words separated by spaces (is that a passphrase to a crypto-currency wallet?!) and let's hope that server is not managed by a third-party or even compromised.

In other words, if Coinomi used a valid API Key then Google would have been obliged to treat the data better and would make the person who used my passphrase think twice.

Going to the next statement:

"Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only."

Stating that this wasn't part of their "source code" is really misleading and trying to run away from the responsibility. The JxBrowser component/plug-in is bundled with Coinomi’s wallet at the source code level and you can enable/disable any undesired feature of JxBrowser from the source code. So essentially it was a feature not a bug but Coinomi have misused it and it turned into a CRITICAL security bug.

Coinomi’s team is trying to divert the community attention and blame JxBrowser for their mess. In fact, JxBrowser clearly explained the default behavior in their documentation since 2016 and how to disable it:

The original link can be found here:
https://jxbrowser.support.teamdev.com/support/solutions/articles/9000044250-configuring-spell-checker

To make it simple for the readers, Coinomi could have avoided the “spell check” scandal with a single line of code:
spellChecker.setEnabled(false);

Apparently the “Code Gurus” at Coinomi didn’t have the time to read JxBrowser documentation. In fact, I’m not sure why did they use JxBrowser in the first place. Coinomi wallet core functionality is based on Java programming language and it’s already cross-platform enabled by default so you don’t need a third-party component for that. The answer is probably that they were too lazy to do the UI in Java natively and wanted a fast sloppy solution to rollout their Desktop version as soon as possible to compete against their competitors skipping the QA tests (if it exists at all!).

The funny thing is that if we talk about the “spell check” vulnerability in a legal perspective then it will be considered as a “feature” and to be more precise, a hidden feature. This feature was NOT mentioned anywhere in their “Terms of Use” nor in their wallet application or documentation.

Now let’s talk about Google API and their terms regarding the API usage. You can find these terms in the following links:
https://developers.google.com/terms/
https://developers.google.com/terms/api-services-user-data-policy

Quoting some of their terms:

As you can see, Coinomi have already violated several terms. For example they used Google API without a valid API Key (unauthorized usage) and they didn’t inform their users about it. In other words they deceived Coinomi wallet users with the hidden “spell check” feature which uses Google API servers to check their passphrases/seeds.

Coinomi stated in their official announcement that the data they sent to Google API servers were not “processed, cached or stored”. Don’t take my words for it and let’s see what Google says in their terms:

We can come to a conclusion that the feature of using Google API to “spell check” users' passphrases/seeds was a hidden feature and it was NOT mentioned in their “Terms of Use” that I accepted before installing the application. So obviously if I knew about that feature I wouldn't use the application unless if I wanted to improve my passphrase vocabulary!

Apparently they don’t need to change their CTO only, they also need to change their attorney.

Support Ticket Deception & Privacy

First of all, publishing that support ticket publically is a clear violation of my privacy as a client. It contained sensitive information related to my case such as the my personal crypto-currency addresses and the destination crypto-currency addresses. These information should be only available for the authorities and the parties involved in the case.

Secondly, if my claims were false then why a “blackmailer” (based on Coinomi’s official statement) would accept to send his personal wallet “passphrase/seed” to them? If I wanted to double spend my money why would I give them my wallet passphrase/seed? I’m glad that I sent them my passphrase/seed through an encrypted channel otherwise they would have published it!

The final point is that they did not upload the full ticket and deleted the part where they confirmed that my assets were stolen and said they will start blacklisting the addresses so the person who stole my crypto-currency assets can’t utilize the assets in exchanges:
https://avoid-coinomi.com/files/coinomi_support_ticket.png

You can download the full support ticket from here (sensitive information blurred):
https://avoid-coinomi.com/files/coinomi_support_ticket_full.png

Key Facts & Evidences

I will recap the events to understand why I was affirmative with my conclusion that my assets were stolen because of Coinomi wallet and not because any other reason:

  • I downloaded and installed Coinomi wallet on 14th February 2019.
  • On the same day I pasted my Exodus wallet passphrase/seed in Coinomi’s wallet.
  • I opened “a new” Coinomi wallet with a new passphrase and transferred some crypto assets from the exchange to the wallet.
  • My crypto assets were stolen on 19th February 2019 and the only compromised wallet was Coinomi wallet which I “pasted” my passphrase in.
  • I had multiple wallets on the same virtual machine and none of them were stolen.
  • The assets in the new Coinomi wallet were also NOT stolen.

With these facts it’s clear that the only wallet which got compromised is the wallet which I pasted my Exodus passphrase in and that wallet was Coinomi which had a vulnerability (a feature) to spell check passphrases/seeds with Google API servers.

Misleading, Contradictory & Unprofessional Tweets

The team behind Coinomi was trying very hard to mislead the community with false information. I have listed few screenshots of their tweets to show the community what sort of company they are dealing with:

Patient Zero

One of Coinomi’s arguments in their official statement is that they had zero reports of hacked Desktop wallets and they are using it as an excuse. In fact, several reports of stolen assets were reported on Reddit. However, I will list some reasons that probably made me the first victim:

  • The Desktop wallet is new and it's less than 3 months old (announcement screenshot).
  • Desktop users are a lot less compared to the mobile version of the wallet.
  • To trigger the bug, the user has to restore his wallet.
  • My address had decent amount of crypto assets that attracted the criminal who stole my crypto assets.

Who’s Behind Coinomi?

It’s seems the team behind Coinomi (especially the management) are hiding behind the shadows. I’m listing them here so that the community can always identify them if they start any new project or even rename Coinomi to “Spell Checker”. They are affecting the ecosystem of crypto-currencies in a negative way because they lack credibility and professionalism.

Final Thoughts

By my second statement and the YouTube video, I’m pretty sure that I have provided all the facts and evidences that proves my claims regarding my stolen crypto-currency assets. I also provided clear evidences that shows how Coinomi lack credibility.

I have no choice other than taking this case legally against Coinomi because they keep refusing to take the responsibility of my loss. They wanted it to do it the hard way then let it be.

My final message to the person who stole my crypto-currency assets. The case is escalating by time by time and eventually legal investigations will begin. You still have the choice to correct your mistake and return the assets to the following addresses:

BTC:
1CtybEBttTMRuNwn4vbfcWurAJXDYX9Ntg

LTC:
LfiMHCpmef4MYsWu3fnNLsxcMxJJutQgsb

BCH:
qpqj7jl6uw3u8lsg28zcd06rcdfpashmfvyv9k2t90

ETH (including ERC20 tokens):
0xd87209d2118012C8021Ca5B8A4D3732906aa2770

Further updates will be posted through social media channels (@warith2020) and if required will be posted here.