An unusual bug has been discovered in Coinomi, a popular multicoin wallet. Of all the security issues that might have come up, a spell check tool seems to be to blame. The victim of the bug has now made his complaints known, while Coinomi has asserted that the victim handled the problem irresponsibly and blackmailed the company. This is what has happened so far…
The Bug Has Been Confirmed
The victim, Warith Al Maawali, claims that a text box built into the Coinomi wallet sent his seed phrase to Google’s online spell check service. Since a seed phrase can be used to gain access to a wallet, handling data in this way is a major risk. Al Maawali claims that the bug was used to steal $60,000 of cryptocurrency from his wallet.
He also says that Coinomi has “refused to take responsibility,” which has forced him to reveal the problem publicly. Coinomi itself has now responded, admitting that Google spell checks did occur due to a “bad configuration” in one of the wallet’s plug-ins. However, Coinomi also says that this function sent text securely—and that Google actually rejected the data.
Actual Exploit Up For Debate
Not everyone believes Al Maawali’s story. Since Coinomi’s wallet never sent data to a non-secure location, Al Maawali believes that a “Google employee, or whoever has control over the data,” gained access to his seed phrase and stole his funds. Of course, the idea that Google employees are stealing cryptocurrency is an extraordinary claim.
That claim is not entirely impossible, but few people are prepared to believe it. Although Al Maawali has demonstrated the spell check bug in a video, he can only prove that the data reached Google, not that Google employees actually stole his data. In other words, it is possible that the bug exists, but was never really exploited by an attacker.
Instead, many suspect that Al Maawali’s cryptocurrency was stolen by more common means. Some believe that his computer was infected by spyware or malware, while others believe that he leaked his seed phrase elsewhere. However, Al Maawali’s critics ultimately have no more proof than he does, meaning that the conflict may never be resolved.
Are Software Wallets Safe?
Even though exchanges and web wallets are usually the focus of security concerns, software wallets can also carry vulnerabilities. Some of these attacks are quite creative: the Electrum wallet, for example, recently fell victim to a convincing phishing attack when attackers used notification boxes to promote a fake update and steal user keys.
The bottom line is that storing cryptocurrency on any device connected to the Internet provides attackers with a potential way to steal cryptocurrency. Although software wallets are generally safe, they are still sometimes vulnerable. Hardware wallets are safer still, but even they have faced criticism—meaning that wallet security is never 100% certain.