Topic: [Warning] About Coinomi - page 3. (Read 2137 times)
Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!
If we want to stay mobile, the best would it be then, to generate mind or paper wallets. We could maybe use coinomi only for transfers. Would that be a solution?
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
This does not look good. This is the mobile wallet I use and this is what I recommend that everyone use. I know that there will always be vulnerabilities in any software but its the handling of the situation that had me peeved. I hope they fix it and behave more professionally next time.
Ouch, I just installed Coinomi a few days ago and using it now.
Yeah same here. It seemed like the best mobile wallet to store altcoins.This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot. The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Ouch, I just installed Coinomi a few days ago and using it now. Thank you for notifying the community. Will move my coins now to a more secured wallet. I hope they treat this as priority otherwise it will ruin their reputation and the way they handled that guy is very unprofessional. As per twitter:
Quote
We have hundreds of thousands of users reaching out to us, we are unable to respond to every single request right away, esp complex issues
But at least give it a priority otherwise they will lose potential customers. 
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Hey thanks for the heads up. I'm thinking of using Coinomi but this issue should be fix first. I'll just stick with Electrum for the meantime. This guy has a valid point and calling him FUD'ster and schill is inappropriate. He is helping the community not the other way around.
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
For the sake of those members you have reading problems.
1. The guy monitored all network traffic while opening the Coinomi app on his phone.
2. He did a search on the captured packets.
3. It ended matching a packet, which when decoded.
4. Is a electrum communication happening in plain text.
5. Following the full TCP stream from start to finish shows the following decoded messages being sent in plain text
6. Basically opening the Coinomi app is broadcasting all Bitcoin addresses in plain text over the network.
7. Meaning none of which are using SSL.
So definitely there are vulnerabilities in their wallet and should be fix ASAP.
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Thank you for the heads up... and really thank you for posting in a rational manner. You posted a link, summarized it, and let us decide whether or not we should take action. Refreshing change of pace from the FUD posts we get, "ZOMG! Wallet hacked!!!1 All your BTC scammed!11!!"
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Thanks for sharing it around.I went through the issue raised on their GH page and it seems quite relevant.Even their official contributor isn't sure if they are using an SSL.However,I don't think that issue is likely to broadcast your private keys over the network.From the first couple of comments only the public addresses are being broadcasted.Let's see how this turns out.The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
You have to read the issue from the day it was raised,don't just read the comments.Also check the issues those were referenced in that thread. 
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
Read the issue posted on GitHub."Connecting to these servers shows they are unencrypted without SSL... Does this mean your Android app is making all Electrum requests in plain text?"
"[...] So basically opening the Coinomi app is broadcasting all of my Bitcoin addresses in plain text over the network."
And from this reddit post[1]:
Quote
"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.
It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."
It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."
[1] https://www.reddit.com/r/Bitcoin/comments/72lmql/security_warning_coinomi_wallet_transmits_all/
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);
Quote
Hey all,
We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix.
Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix.
Guys are you sure about the issue. I have a friend who is being used this wallet for sometime. I feel fear about this now. Let me clear about thread information to him now.
If the issues has been fixed and we can use it else it would not be good like bit.ac
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);
Quote
Hey all,
We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix.
Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079 We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.
Keep an eye on the ElectrumX repo for a pull request.
Sorry that it took so long to fix.
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Jump to: