Topic: Vorsicht Coinomi Wallet mögliche CRITICAL Vulnerability (Read 206 times)

Autsch. Ich habe gestern gerade bei CryptoCompare nach einem Wallet gesucht.

Coinomi scheint viel genutzt zu werden, allerdings gibts es von den Sicherheitanforderungen her wesentlich bessere, die dazu noch Open Source sind. Geworben wurde auf der Seite damit, dass sie bisher noch nicht gehakt wurden, obwohl die schon so lange am Start sind.

Hallo zusammen,
bin gerade über den reddit Artikel gestolpert, in welchem ein User behauptet er habe aufgrund einer kritischen Lücke in der Wallet seine Funds verloren.
Was dran ist, weiss ich nicht und will auch keine Panik auslösen, aber man muss solche Vorfälle immer wieder zum Analss nehmen auf die Gefahren von solchen Diensten hinzuweisen.

Das Problem hier konkret ist, dass das Passwort bzw. seeds zwecks Rechschreibprüfung im Klartext an google gesendet wurde. Losgelöst von der Schuldzuweisung, ist das Ergebnis, dass die Funds unwiderruflich verloren sind, sofern die geschichte wahr ist.

Warum wird/sollte der seed einer Rechtschreibprüfung unterzogen werden? Was wäre der Sinn dahinter?

Coinomi gives a different story. This only affected restoring seeds on desktops, not mobiles, we’re told. Even then, the request to Google api was encrypted and was actually a bad request, never processed by Google at all.

The spellcheck is local, Jxbrowsr downloads a local dictionary and checks, says a Coinomi representative who says this is not an official response by Coinomi. They are preparing an official response to be published imminently.

This is now patched 3 days ago anyway, we’re told. “Noone else had this issue since the release of desktops on 1.1.2019.”
...
Coinomi’s rep says they were contacted on the 22.2.2019. “We tried until yesterday very politely to get a responsible disclosure from that user, and he refused,” we’re told.

To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text!

Technical Analysis

I started going back in time and arranging the events. The only new thing that I did was installing and running Coinomi wallet so my first conclusion was that the unsigned version of the application had a backdoor.

I did further investigation and compared both the unsigned version of the setup file and the signed version. The only difference was they added digital signature to the main executable file and the Java file (the main application).

At that stage I thought that there is probably something suspicious about the application apart from having their main executable unsigned, so I started replicating what I did in a new virtual machine but this time I installed “Fiddler”. A software that allows you to monitor and debug HTTP/HTTPS traffic of all applications running on your machine.

I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:

https://redirector.gvt1.com/edgedl/chrome/dict/en-us-8-0.bdic


Then I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER****** (boom puzzle solved!)

The WHOLE passphrase in plain-text is sent to googleapis.com a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:

https://avoid-coinomi.com/files/coinomi_screenshot_1.png


To verify my findings I have uploaded a video for anyone who wants to test and replicate what I did:

https://avoid-coinomi.com/files/coinomi_http_traffic_video.mp4