Cryptocurrency investor Warith Al Mawali affirmed that he was the victim of a theft as he lost $70K in life savings due to a Coinomi security flaw , according to a Reddit post.
As always, there are two sides to every story . One party says that Al Mawali’s funds disappeared as the Coinomi’s desktop wallet had a backdoor that sent passphrase information to Google; on the other side, the company affirmed it found an issue, but it was solved quickly, and there is no evidence that anybody was stolen.
The story went public when Al Mawali published blog posts in Reddit and Bitcointalk saying that he was disclosing all information because the crypto wallet refused to take responsibility.
Al Malawi claims that the platform contains a backdoor, his “ passphrase was compromised , and $60K-$70K worth of cryptocurrency was stolen because of Coinomi wallet and how the wallet handled my passphrase.”
The problem with the passphrase is that once an investor enters his passphrase to the textbox, it is automatically inspected remotely by spellcheck through googleapis.com. It is “basically an HTML file ran by a Chromium browser component,” Al Malawi said.
The Verge 2018 tech report card: Google
He affirms that the person who got access to the leaked private key used it to steal around 17 Bitcoins units.
However, in a press release published later, the company said the seed phrase was not being transmitted in plain text but encapsulated inside an SSL HTTPS protocol with Google as the unique recipient.
Coinomi also stated that the spell-check requests were not processed , cached or store as it returned an error as they were flagged as “Bad Request” by Google “as they were badly formed (did not contain a valid Google API key) and never actually processed them.”
Al Malawi also built a dedicated website called Avoid-Coinomi.com where he also published videos explaining the flaws and the whole story.
One of the videos posted on AvoidCoinomi tries to demonstrate the vulnerability, and it looks that the option to decrypt HTTPS is selected in the software.
Finally, Coinomi affirmed that Al Malawi was blackmailing them. Coinomi’s COO Angelos Leoussis commented on the exchange’s official Telegram group that Al Malawi kept “threatening, swearing, and blackmailing us for insane amounts.”
The company also said that he offered that they will report the stolen assets to Chainalysis, which will blacklist the digital assets so no exchange would accept them.Share this story