Spellcheck vulnerability addressed by Coinmoni

The crypto wallet provider Coinomi has denied the allegation that the wallet has a bug in it that allows the google to view the users seed phrases. Reportedly Coinomi generates 24 seed phrases which in turn enable its users to restore wallet on any platform. And helps them to manage the wallet on phone or PC. However, the wallet company has disapproved this report through their official statement issued on 27th February.

As per the statement issued by the company, the media has wrongly interpreted their seed transmission phrases. They further added the seed transmission was encrypted through SSL and Google is its lone recipient.

However, according to a user of Coinomi wallet, the vulnerability sends private key of the wallet to spelling checking service of Google in plain text. The user explains that to recover wallet the desktop wallet has a textbox, any text typed in this textbox automatically sent it to googleapis.com as a request for spell checking. The textbox in the discussion has the power of Chromium browser component and the text typed in it gets transformed into HTML file.

The bug that has occurred only in the desktop wallet is not intentional, and it was not designed as well. The error purely happened because of the plugins used in the wallet. The day Coinmoni team heard of the plugin they launched a patch to fix the error. Although the user claims it to be a plain text, it is visible from his screenshot, the data packets were encrypted.

The spell check request went to Google from Coinmoni were not stored and were flagged as unauthorized request and were not processed further as stated by Coinmoni.

Coinmoni has flagged the users claim on high alert and has investigated into the matter. The company is also getting threatening and blackmailing calls from the user group as stated by the company COO.

The wallet company also confirms that no other news of wallet hacks has come to light except this particular user Warith Al Maawali’s. They even think that the keys are still controlled by him and not stolen. The company also said that seeds were never transmitted until and unless a user explicitly did so to restore desktop wallet.

On 26th of last month, the company had decided to report the stolen assets to Chainanalysis, so that the fund gets blacklisted and does not gain acceptance from any exchange.