Reuse thanks to:

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator



Cryptocurrency wallet caught sending user passwords to Google's spelling checker (ZDNet)

Gene Wirchenko <genew@telus.net>
Wed, 27 Feb 2019 21:12:54 -0800
  [While a spelling check of input can be useful, maybe, the default should
  be to this being off.]

Catalin Cimpanu for Zero Day, 27 Feb 2019
Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck
API via HTTP, in plaintext.
https://www.zdnet.com/article/cryptocurrency-wallet-caught-sending-user-passwords-to-googles-spellchecker/

opening text:

The Coinomi wallet app sends user passwords to Google's spellchecking
service in clear text, exposing users' accounts and their funds to
man-in-the-middle (MitM) attacks during which attackers can log passwords
and later empty accounts.

The issue came to light yesterday after an angry write-up by Oman-based
programmer Warith Al Maawali who discovered it while investigating the
mysterious theft of 90 percent of his funds.

Al Maawali says that during the Coinomi wallet setup, when users select a
password (passphrase), the Coinomi app grabs the user's input inside the
passphrase textbox and silently sends it to Google's Spellcheck API service.

"To understand what's going on, I will explain it technically," Al Maawali
said. "Coinomi core functionality is built using Java programming
language. The user interface is designed using HTML/JavaScript and rendered
using integrated Chromium (Google's open-source project) based browser."

Al Maawali says that just like any other Chromium-based app, it comes
integrated with various Google-centered features, such as the automatic
spellcheck feature for all user input text boxes.

The issue appears to be that the Coinomi team did not bother to disable this
feature in their wallet's UI code, leading to a situation where all their
users' passwords are leaking via HTTP during the setup process.

Anyone in a position to intercept web traffic from the wallet app would be
able to see the Coinomi wallet app passphrase in cleartext.



Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse.
109