Topic: [Warning] About Coinomi - page 2. (Read 2137 times)
Oh, good that you made us aware, thanks for that. I was about to set up a wallet, but wont go this route now. Also I dont like this unprofessional behavior, they should be rather thankful to this developer because he made them aware of a security risk. I dont understand some people.
Was this ever resolved ?
just heard about coinomi and was wanting to try it out.
just heard about coinomi and was wanting to try it out.
As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
I don't think so. Doesn't look like Coinomi thinks this is a security issue - just like what happened with Jaxx a few months ago. They even changed the title of the issue from Security Vulnerability: Coinomi transmits all data in plain text to Coinomi transmits all data in plain text.We never lied, there isn't any security implication associated with your findings. And we haven't ignored you so please stop making this personal. Unless you have something constructive to add to this, this thread will be locked.
If you feel uncomfortable with the way Coinomi inquires the blockchains you may as well use a VPN service (there are several good solutions for Android) until SSL is included in a feature releases.
As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.
Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.
Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
I don't know if this is an official response, but if it is... great that you've updated to SSL. However, this has moved way beyond the SSL issue and is more about the response to the potential security issue. You probably should huddle up as a leadership team and figure out how to recover the disaster your social team created.
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
i hope the dev will fix the problem so we can still using the wallet. its too bad to hear this news because i save the coins into coinomi and thank you for giving this info. i am trying to thinking to move my coins into another wallet if there is not any update from the dev. but i realize there is no guarantee for every wallet that will be 100% secure.
Well this is not good news. I hope they get it fixed. Coinomi is where my first wallets am from, still have them too
Quote
"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.
It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."
It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."
Woah that just blew my mind. I had no idea man-in-the-middle attacks could even happen with bitcoin transactions! Holy crap this is like getting DDOSed right at the wrong moment to screw you over and steal your bitcoins.
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
No they are putting the Jaxx hack out of context. It could be the person who reported it transferred his own funds to another wallet and claimed he has hacked. In fact the report was questionable because it was made right after the discovery that your Jaxx seeds could be extracted in plain text.
The private keys are not stored in their servers. Please read up on it before you post. Its easy.
Oh, that's very unprofessional PR. But as I understand, this is only privacy issue and our coins are safe, because only bitcoin adresses, not private keys broadcasted over the network. But it must be fixed.
Coinomi was my favourite wallet for Android, because they support many coins, not like Jaxx or Exodus. I hope this privacy issue will be fixed, because I don't see any good alternatives for Coinomi.
Coinomi was my favourite wallet for Android, because they support many coins, not like Jaxx or Exodus. I hope this privacy issue will be fixed, because I don't see any good alternatives for Coinomi.
Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'.While Exodus is still kinda safe. Any wallet may be an "unsafe" if you're not careful with your OS. Even while using Electrum, you may lose your coins if you have a malware on your computer.
Oh I missed this news. Fortunately, the one on reddit is still there because the page on github have been taken down already. I've been using coinomi wallet for months now, tbh I used it yesterday for few transactions.
I visited their twitter page and saw that they will be giving their official statement about the issue in few days [LINK]. I'll wait for that statement first, I hope we could see it soon. Bad move of blocking that person though.
I visited their twitter page and saw that they will be giving their official statement about the issue in few days [LINK]. I'll wait for that statement first, I hope we could see it soon. Bad move of blocking that person though.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
I would not recommend a Desktop wallet built on Electron to anyone.If you know how electron works,their source code is installed on the desktop since it doesn't make any native apps and only runs an instance of a chrome browser on a windows PC.Code security is none,I don't even know how people trust such apps wit their private keys.Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'.
What is so bad on the way, addresses are shown? As long as they son't publish the keys ....
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
I would rather wait for the vulnerability to get fix by Coinomi instead of going to Jaxx which has history of hacks. Of course there is the ever reliable Electrum however, it only supports bitcoin though.
Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!
Yes, I have coinomi wallet and I'm pretty disappointed with the way they handle the issues. Although I only hold small amounts of altcoins in my wallet, but still this is a scary one seeing you address transmitted in plain text across the network.
Jump to: