Topic: Coinomi BUG or ...? (Read 414 times)

yeah, to me it also looks more like a rainbow table with a dictionary of the most common passwords and their equivalent salted hashes using MD5 hash algorithm. so it may not exactly be coming from Coinomi but be related to it. possibly a malware on OP's computer tried it but were broken enough to show the table itself!

Sorry, the the forensic analysis is linked on the first tweet of that thread that I send. I though that the tweets were also important, so I could take 2 birds with a single link. As noted by DaveF, the direct link to the analysis is https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af if you don't want to read the tweets from Coinomi's CEO about this.

I think this is what coinomi was referring to:
https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

I think more and more people are just blaming their wallet, when it's something on the PC / Phone or they downloaded the wrong thing.
The electrum vulnerability is 18+ months old and yet people are still getting hit with it.
electrum-bitcoin.org ( https://bitcointalksearch.org/topic/fraud-site-electrum-bitcoinorg-is-now-mine-5229836 ) is still getting traffic.

So when something like the OP sees something it must be the wallet.
Not some other malware or the fact that they downloaded the wrong thing.

-Dave

Hello fer_coinomi

I don't know if all this drama is true or not, however I don't think you should post a twitter link if  you have a forensic analysis. This is not the first time I see someone from coinomi pasting a twitter link as if a tweet were a forensic analysis. It is not. Don't you have a direct link to this forensic analysis? It would certainly give much better credibility to it.

That being said, I use coinomi in my mobile for small amounts and never had problems, so I believe your version might be true, but pasting  a tweet link won't help.

I've received the file. It has 2435570 lines.
Four lines missed an "ENTER", after splitting those lines into two lines, each line was in there exactly 5 times.

After removing duplicates, I have 487115 lines left. It's comforting to know my own Coinomi password isn't in there.
The most common "password"  in there is "Aa123456." with 212904 occurrences. It looks like something based on commonly used passwords.
I would go with this:

Hi pizza50, please open a support ticket at support.coinomi.com explaining in detail what you saw. Explain where exactly did you see that text, how did it appear on the screen, if it was immediately after you ran the updated installer file or when running the app after updating, etc. Please also include a link to the exact file you downloaded and anything else you think is important. The wallet doesn't do anything you described, so most likely you downloaded a fake file from a fake website, or some other software activated as you tried to execute Coinomi. We would love to have a copy if that's the case. But a deeper malware scan and possibly moving your coins to a new recovery phrase using a clean device and subsequent wipe of your computer is recommended.

---

Hi mocacinno, the guy who uncovered the infractions was trying to extort Coinomi from the start, you can read the detailed forensic analysis of the entire thing here: https://twitter.com/kimionis/status/1131945228506738688

---

Hi Lucius, the password isn't stored anywhere, and definitely not on our servers. Your app password used to encrypt the wallet data. When the app requires the private keys for any operation, it tries to decrypt the local data with the password. If the decryption is successful, it means the password was correct. If the decryption was not successful, it means the password was wrong. The password itself (or hash or any kind of data derived from it) isn't stored anywhere, not even in your computer.

---

Our website hosts the executable and checksum on the same page, but also has a text file that contains the filenames and their respective hashes, which is signed with our lead dev's PGP key. The chain of trust starts with the signed message and PGP key. Once you verify the signature, you will know which are the legit hashes for each file. Finally you can download the file and check that its hash matches the one on the signed message.

https://bitcointalksearch.org/user/loycev-459836
LoyceV
Legendary
Activity: 1904
Merit: 6555

he was the first who requested the list ...i will send him
you have right i am new user and probable not enough trustworthy, but he is trusted enough, i will send him the list
he will the community more about ...

its a 214 MB file ... as i see some lines are duplicated, i think i have at least 500 k lines
and yes, i have a dell latitude 7480 with very good i7 processor and some gb ram...

Let's do some math.

OP posted 21 lines which need 1912 Byte of storage.
That's roughly 91 Byte per line.

91 Byte * 2.600.000 Lines = 236600000 Byte = 225 MB

That's definitely not too much to copy/paste and doesn't need gigs of free RAM.

Copy/pasting that definitely will take some time (maybe ~5 minutes?). So technically.. OP could tell the truth.
However i agree with you, that this seems to be quite unlikely. Especially since OP only registered here to create this thread.

I don't think so as I also disagree with other members believing that OP downloaded a malware which uses his computer to crack md5 hashes simply because those are salted md5 hashes (password + salt).

However, I agree with DaveF. I find it hard to believe that a random user was able to generate or download 2.6 million hashes in 4-5 minutes and copy pasted all the data to a text file without causing the computer to freeze unless it's really a very powerful one.
Besides, if it was really caused by a bug on Coinomi servers then the question is why are they saving hashes, salts and passwords (plain text) on the same table!! it's not safe and I doubt they would make such mistake.

And just don't move the coins. Use a new wallet. Just don't move the seed.

Although I still claim BS. I asked a programmer I know this morning about it.

More or less it came back as: 2.6 million hash. Let's do math.
2.5 million / 5 minutes. Both a longer time then the OP said and a smaller number of hashes.
that is 500,000 a minute. Or 8300 a second. Could be done with a very optimized PC app if they were using the GPU also.
But there is still no way in hell you could display to the screen and write to a file at the same time.

-Dave

Whether it's Coinomi bug or malware that pretends as Coinomi, i think what you should do are :
1. Immediately move your cryptocurrency from Coinomi to another wallet using clean/secure computer
2. Format your storage & reinstall your OS

I smell BS
1) Running 32 cores hard I can't hash and write 2,600,000 lines to an SSD with the machine doing nothing else for 5 minutes
2) New user we never heard from before having an issue like this.
3) Copy / pasting that much data in Windows will slow it to a crawl unless you have gigs and gigs of free RAM.

-Dave

Does someone knows if "SALTPLAIN" means it is salted or not? Have you tried to hash your current password in an md5 hasher and compare the result against the hash associated with your username in the list?

If they are equals, that should be very relevant

Any chance I can have your file (the one with 2.6 million lines)? Feel free to remove your own password first. If you encrypt it and upload it somewhere secure, I'd like to see if by any chance my own password is in your list. I only use Coinomi on mobile though.
I don't expect my password to be in your list, but if it is, it proves something is terribly wrong.

because i thought is something really strange i saved all them with ctrl+c and v in a text file (i use editpad pro) and its easy to count ... i mark the last line and editpad show the line number
maybe if the coinomi application did not freze so hard,  would have been more lines ... who know
i think this are not seeds or anything related to keys, they are coinomi passwords - when a coinomi wallet owner will send out money need put this password to approve the transfer
anyway is very very strange how can this appear in the application ..

This changes everything... If there is even a shred of evidence this would mean that they were caught sending sensitive data "home" for the second time...

Do be careful, the first time (when they allegedly sent seeds to Google) they spent loads of time, effort and money to "bury" the guy that uncovered the alleged infractions.

words of a centralized and closed source wallet mean absolutely nothing. it would be like Coinbase saying they aren't sending all your activities to the authorities every second.
they also have a bad history of doing strange things that make no sense like sending the seed to their server to be checked! so i wouldn't be surprised if their servers also stored the wallet passwords.

How did you get to the number of 2.6 million passwords? I suppose they're not counted manually, is that number show somewhere in Coinomi UI?


To me, this is really weird, because according to what Coinomi says, all user data is only on the user's device, and there is an encrypted application data folder where seed/keys are stored. What interests me is where the user's password is stored? According to this, it turns out that it is located on a Coinomi server that sent everything to one user during an update in some crazy bug

Assuming everything is stored locally, then it is impossible for one program to connect to millions of computers and pull all this data - or is it still possible?

and the strange things is that i fund my password in that list - and i use a really long and complex password for coinomi ...

You didn't take a screenshot of it?

I have PM'ed Brenny_Coinomi about this thread. Maybe - if that really happened - it's something which can be explained by him?