Cryptocurrency storage application Coinomi Wallet has refuted recent claims that its software was coded to send unencrypted wallet recovery seed phrases to Google’s spell check servers. The claims were denied in an official statement posted on Medium on Wednesday, February 27th.
Coinomi clarified that seed phrases “weren’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets,” and that if they were sent, they were encrypted and “encapsulated inside a HTTPS request with Google being the sole recipient.”
Our official statement on the spell-check findings:
— coinomi (@CoinomiWallet)
Additionally, “the spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”
Still, Coinomi did acknowledge that this was a problem, one that was likely caused by poor configuration in plug-in software that operates as part of the Coinomi wallet desktop application.
The claims were originally publicly made against the company came from one Warith Al Maawali, a man who said that a Coinomi wallet had been hacked because of the vulnerability. Maawali created a support request on Coinomi’s board describing the claims in detail; he also seems to have created Avoid-Coinomi.com, a website that also contains
Coinomi is said to have immediately flagged the post as ‘high priority’ and to have launched an investigation into the matter. Despite this, however, Coinomi COO Angelos Leoussis that Maawali persisted in “threatening, swearing, and blackmailing us for insane amounts.”
Unfortunately for Coinomi, Maawali’s claims spread like wildfire over the web. At the time of writing, a number of crypto-centric news publications, including DecryptMedia, Ethereum World News, and Bitcoin Exchange Guide have reported on Maawali’s claims without including Coinomi’s defense.
SECURITY VULNERABILITY sends your plain text seed phrase to Googles remote spellchecker API when you enter it! This is not a joke!
Video attached for proof.
Credit goes to for finding the issue, read more from him here:
— Luke Childs (@lukechilds)
CoinTelegraph reported that before Maawali went public with his allegations, he requested that the company refund him the cryptocurrency that had allegedly been stolen from him, threatening that if they failed to do so, he would have “no choice other than reporting this in social media.” However, Maawali would not provide Coinomi with the details of his claims.
Coinomi proceeded by asking Maawali for more information on the alleged vulnerability. Maawali is said to have responded by saying that he wouldn’t give any details until he was guaranteed payment.
Let the message be clear, we do not negotiate with blackmailers.
Here is the full Helpdesk correspondance with (a blackmail gone wrong):
👉 👈
— coinomi (@CoinomiWallet)
Even so, Coinomi reportedly reported the allegedly stolen assets to Chainalysis, so that the funds will be blacklisted, and therefore will not be accepted by any exchange.
Finance Magnates reached out to Coinomi, but had not received a response at the time of publication.
Be First to Comment