[While a spelling check of input can be useful, maybe, the default should
be to this being off.]
Catalin Cimpanu for Zero Day, 27 Feb 2019
Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck
API via HTTP, in plaintext.
The Coinomi wallet app sends user passwords to Google's spellchecking
service in clear text, exposing users' accounts and their funds to
man-in-the-middle (MitM) attacks during which attackers can log passwords
and later empty accounts.
The issue came to light yesterday after an angry write-up by Oman-based
programmer Warith Al Maawali who discovered it while investigating the
mysterious theft of 90 percent of his funds.
Al Maawali says that during the Coinomi wallet setup, when users select a
password (passphrase), the Coinomi app grabs the user's input inside the
passphrase textbox and silently sends it to Google's Spellcheck API service.
"To understand what's going on, I will explain it technically," Al Maawali
said. "Coinomi core functionality is built using Java programming
using integrated Chromium (Google's open-source project) based browser."
Al Maawali says that just like any other Chromium-based app, it comes
integrated with various Google-centered features, such as the automatic
spellcheck feature for all user input text boxes.
The issue appears to be that the Coinomi team did not bother to disable this
feature in their wallet's UI code, leading to a situation where all their
users' passwords are leaking via HTTP during the setup process.
Anyone in a position to intercept web traffic from the wallet app would be
able to see the Coinomi wallet app passphrase in cleartext.