Author

Topic: [Warning] About Coinomi (Read 2147 times)

newbie
Activity: 10
Merit: 2
September 06, 2018, 02:44:01 AM
#54
My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/




Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.

I also can't find any bugs (even on my second phone with old androin 4.4). Nothing disappeared, except the Ethereum tokens. Baught some within the Coinomi App (not the built in exchangers), but I forget about them, so that I can't find them. But also therefore exists a solution. Export Ethereum wallet to MEW and the tokens should be visable.

This is an old dBase issue (funds were not affected of course) which is now fixed. All tokens are addable from either +Tokens list (if they're natively listed in the wallet) or the search function in the same page if they are not.

Also note that you don't have to expose your ETH key to mew, as the seed is cross-importable (coinomi to mew, mew to coinomi).


Angelos from Coinomi
staff
Activity: 3500
Merit: 6152
August 17, 2018, 02:17:15 AM
#53
I'm not related to the team, I only made this thread as a warning. I suggest using their Telegram and asking them yourselves.
hero member
Activity: 909
Merit: 508
August 16, 2018, 03:50:17 PM
#52
My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/




Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.

I also can't find any bugs (even on my second phone with old androin 4.4). Nothing disappeared, except the Ethereum tokens. Baught some within the Coinomi App (not the built in exchangers), but I forget about them, so that I can't find them. But also therefore exists a solution. Export Ethereum wallet to MEW and the tokens should be visable.
hero member
Activity: 1148
Merit: 523
CryptoTalk.Org - Get Paid for every Post!
August 16, 2018, 12:55:23 PM
#51
My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/




Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.
staff
Activity: 3500
Merit: 6152
August 14, 2018, 02:06:45 PM
#50
My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/

newbie
Activity: 6
Merit: 0
August 14, 2018, 10:55:26 AM
#49
My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm
staff
Activity: 3500
Merit: 6152
March 05, 2018, 01:20:49 PM
#48
@Coinomi DEVS Do you have an ETA for Callisto airdrop release? I use yobit too and already have my CLO.

This is not the ANN thread. I suggest checking Twitter for announcements or their Telegram, the CEO is pretty active there.
newbie
Activity: 16
Merit: 5
March 05, 2018, 01:18:20 PM
#47
@Coinomi DEVS Do you have an ETA for Callisto airdrop release? I use yobit too and already have my CLO.
staff
Activity: 3500
Merit: 6152
February 13, 2018, 04:11:50 AM
#46
Did you export private keys via Coinomi menu? It redirects to webpage... Is it safe or should I use air-gapped machine then?

It's an open source project and you can run it locally in your PC without internet connection If you want to but since the website is forked and hosted by Coinomi, I see no reason on why you should use air gapped machine for that because If you're afraid of Coinomi, then the wallet itself is not open source, they could've stolen your funds already If they wanted to and the same thing applies to a hacker who have access to your phone through a malware.
sr. member
Activity: 462
Merit: 254
February 13, 2018, 03:54:40 AM
#45
I went through the steps, posted by coinomi.
https://coinomi.freshdesk.com/support/solutions/articles/29000009717-what-is-the-recovery-tool-and-how-do-i-export-my-private-keys-
As I remeber right I used airplain mode, because the mnemonic converter also works offline.
jr. member
Activity: 61
Merit: 6
February 13, 2018, 03:05:24 AM
#44
Good question. I was also wondering abour the seeds of the different coins. But seperate private keys of every  coin can can be exported. I did that for example with ETH to import to myetherwallet.
Did you export private keys via Coinomi menu? It redirects to webpage... Is it safe or should I use air-gapped machine then?
legendary
Activity: 3094
Merit: 1472
February 13, 2018, 01:48:52 AM
#43
Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh

I once imported my hardware wallet mnemonic phrase into coinomi wallet and it showed me the same BTC address as it was showing in hardware wallet app, same ethereum wallet as in app and same for doge addy as well.

From what I understand is that it loads wallet according to mnemonic phrase and does not contains any separate keys/seeds for each altcoin wallet. Its only that one mnemonic phrase.
sr. member
Activity: 462
Merit: 254
February 12, 2018, 09:57:31 PM
#42
Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh
Good question. I was also wondering about the seeds of the different coins. But seperate private keys of every  coin can be exported. I did that for example with ETH to import to myetherwallet.
full member
Activity: 350
Merit: 100
February 12, 2018, 08:42:36 AM
#41
Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh
legendary
Activity: 2758
Merit: 6830
February 09, 2018, 05:11:29 PM
#40
are the Coinomi phrases stored on thier server?
No. Your private-keys are generated based on your seed - which only you have. Nothing is ever sent to a server.

Quote
A deterministic wallet is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key.
More: Coinomi is a Hierarchical Deterministic (HD) wallet. What excactly does that mean?
hero member
Activity: 766
Merit: 501
BUY BITCOIN WITH PAYPAL AND CREDIT CARDS
February 09, 2018, 04:12:40 PM
#39
The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh

Coinomi is a light-weight wallet so doesn't need to download the whole blockchain.
Your private key is not stored on their server. Your private keys never leave your device actually.
full member
Activity: 350
Merit: 100
February 08, 2018, 05:47:48 PM
#38
The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh
jr. member
Activity: 61
Merit: 6
February 02, 2018, 06:18:52 AM
#37
Sooooo, as for February 2nd, what's the security status of Coinomi?
Can someone with a better technical knowledge can add sth. to this topic?
legendary
Activity: 2758
Merit: 6830
December 27, 2017, 11:21:29 PM
#36
Yes I would also like to know if there have been any recent developments on this situation.
Looks like they fixed it. However they never admitted that this was an issue, so there was no official statement.

Quote from: /u/udyslexiccoder
Coinomi pushed an update to the Google Play Store on 4th October (v1.7.7) which appears to now be using SSL.
https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/do0g5tf/

That's all Coinomi has said about the issue:
Quote from: /u/Coinomi
As we previously stated, we put Coinomi to the test and found that connections to the back-end servers are secured with SSL. There isn't any address leakage anywhere in our app. Thanks.
https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/dnyre14/
hero member
Activity: 1050
Merit: 529
December 27, 2017, 10:27:36 PM
#35
Was this ever resolved ?
Yes I would also like to know if there have been any recent developments on this situation.
full member
Activity: 238
Merit: 100
December 14, 2017, 10:05:34 AM
#34
Oh, good that you made us aware, thanks for that. I was about to set up a wallet, but wont go this route now. Also I dont like this unprofessional behavior, they should be rather thankful to this developer because he made them aware of a security risk. I dont understand some people.
full member
Activity: 406
Merit: 109
December 14, 2017, 09:56:11 AM
#33
Was this ever resolved ?

just heard about coinomi and was wanting to try it out.
legendary
Activity: 2758
Merit: 6830
October 08, 2017, 11:50:41 AM
#32
As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
I don't think so. Doesn't look like Coinomi thinks this is a security issue - just like what happened with Jaxx a few months ago. They even changed the title of the issue from Security Vulnerability: Coinomi transmits all data in plain text to Coinomi transmits all data in plain text.

We never lied, there isn't any security implication associated with your findings. And we haven't ignored you so please stop making this personal. Unless you have something constructive to add to this, this thread will be locked.

If you feel uncomfortable with the way Coinomi inquires the blockchains you may as well use a VPN service (there are several good solutions for Android) until SSL is included in a feature releases.
hero member
Activity: 909
Merit: 508
October 07, 2017, 03:54:54 PM
#31
As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?
sr. member
Activity: 2618
Merit: 439
October 07, 2017, 11:58:24 AM
#30
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
Agreed. Until the issue is fix and has been confirmed by other users I will still not getting you wallet. A lot has been discussed about the issue not only here but it twitter sphere and reddit. A official statement coming from you guys will qualms all fears about your wallet. And please inform as well the individual who have found the vulnerability and let him do another testing run so that there's no doubt that the issues is fix already.
legendary
Activity: 3080
Merit: 1353
October 07, 2017, 11:51:14 AM
#29
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.
newbie
Activity: 52
Merit: 0
October 07, 2017, 11:42:46 AM
#28
We are going to make an official announcement as to what really happened here once our investigation is through, thank you.
full member
Activity: 392
Merit: 102
October 05, 2017, 06:26:35 PM
#27
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I don't know if this is an official response, but if it is... great that you've updated to SSL.  However, this has moved way beyond the SSL issue and is more about the response to the potential security issue.  You probably should huddle up as a leadership team and figure out how to recover the disaster your social team created.
newbie
Activity: 52
Merit: 0
October 05, 2017, 04:32:50 PM
#26
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.
hero member
Activity: 2912
Merit: 556
Enterapp Pre-Sale Live - bit.ly/3UrMCWI
October 01, 2017, 04:17:16 AM
#25
i hope the dev will fix the problem so we can still using the wallet. its too bad to hear this news because i save the coins into coinomi and thank you for giving this info. i am trying to thinking to move my coins into another wallet if there is not any update from the dev. but i realize there is no guarantee for every wallet that will be 100% secure.
full member
Activity: 504
Merit: 107
A non technical guy in a technical world
September 30, 2017, 10:05:31 PM
#24
Well this is not good news. I hope they get it fixed. Coinomi is where my first wallets am from, still have them too
legendary
Activity: 966
Merit: 1042
September 30, 2017, 10:02:43 PM
#23
Quote
"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.

It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."

Woah that just blew my mind. I had no idea man-in-the-middle attacks could even happen with bitcoin transactions! Holy crap this is like getting DDOSed right at the wrong moment to screw you over and steal your bitcoins.
sr. member
Activity: 868
Merit: 259
September 30, 2017, 09:50:46 PM
#22
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

No they are putting the Jaxx hack out of context. It could be the person who reported it transferred his own funds to another wallet and claimed he has hacked. In fact the report was questionable because it was made right after the discovery that your Jaxx seeds could be extracted in plain text.

The private keys are not stored in their servers. Please read up on it before you post. Its easy.
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
September 30, 2017, 05:49:26 PM
#21
Oh, that's very unprofessional PR. But as I understand, this is only privacy issue and our coins are safe, because only bitcoin adresses, not private keys broadcasted over the network. But it must be fixed.
Coinomi was my favourite wallet for Android, because they support many coins, not like Jaxx or Exodus. I hope this privacy issue will be fixed, because I don't see any good alternatives for Coinomi.
legendary
Activity: 2758
Merit: 6830
September 30, 2017, 10:59:52 AM
#20
Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly  doesn't belong in  the category of 'Safe Wallets'.
Why? AFAIK Jaxx only major issue was the possibility of extraction of the seed that was stored decrypted. But keep in mind that even if that's a major issue, this can only be explored if someone got access to your phone and can break through your lock screen. While Coinomi will transmit all your Bitcoin addresses - not private keys or any critical information that may expose your coins to hackers - without any SSL.

While Exodus is still kinda safe. Any wallet may be an "unsafe" if you're not careful with your OS. Even while using Electrum, you may lose your coins if you have a malware on your computer.
hero member
Activity: 1372
Merit: 647
September 30, 2017, 10:45:22 AM
#19
Oh I missed this news. Fortunately, the one on reddit is still there because the page on github have been taken down already. I've been using coinomi wallet for months now, tbh I used it yesterday for few transactions.

I visited their twitter page and saw that they will be giving their official statement about the issue in few days [LINK]. I'll wait for that statement first, I hope we could see it soon. Bad move of blocking that person though.
legendary
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
September 30, 2017, 01:04:03 AM
#18
You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
I would not recommend a Desktop wallet built on Electron to anyone.If you know how electron works,their source code is installed on the desktop since it doesn't make any native apps and only runs an instance of a chrome browser on a windows PC.Code security is none,I don't even know how people trust such apps wit their private keys.

Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
Don't.Exodus is equally prone to all those vulnerable hacks and certainly  doesn't belong in  the category of 'Safe Wallets'.
full member
Activity: 250
Merit: 106
September 30, 2017, 12:47:07 AM
#17
What is so bad on the way, addresses are shown? As long as they son't publish the keys ....
hero member
Activity: 1050
Merit: 529
September 29, 2017, 11:02:51 PM
#16
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.
sr. member
Activity: 2618
Merit: 439
September 29, 2017, 10:55:30 PM
#15
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

I would rather wait for the vulnerability to get fix by Coinomi instead of going to Jaxx which has history of hacks. Of course there is the ever reliable Electrum however, it only supports bitcoin though.

Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!

Yes, I have coinomi wallet and I'm pretty disappointed with the way they handle the issues. Although I only hold small amounts of altcoins in my wallet, but still this is a scary one seeing you address transmitted in plain text across the network.
legendary
Activity: 3486
Merit: 1055
Leading Crypto Sports Betting & Casino Platform
September 29, 2017, 04:36:30 PM
#14
Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!
sr. member
Activity: 462
Merit: 254
September 29, 2017, 03:03:34 PM
#13
If we want to stay mobile, the best would it be then, to generate mind or paper wallets. We could maybe use coinomi only for transfers. Would that be a solution?
staff
Activity: 3500
Merit: 6152
September 29, 2017, 12:08:35 PM
#12
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.
sr. member
Activity: 868
Merit: 259
September 28, 2017, 10:50:37 PM
#11
This does not look good. This is the mobile wallet I use and this is what I recommend that everyone use. I know that there will always be vulnerabilities in any software but its the handling of the situation that had me peeved. I hope they fix it and behave more professionally next time.
hero member
Activity: 1050
Merit: 529
September 28, 2017, 10:27:33 PM
#10
Ouch, I just installed Coinomi a few days ago and using it now.
Yeah same here. It seemed like the best mobile wallet to store altcoins.
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.
sr. member
Activity: 2828
Merit: 357
Eloncoin.org - Mars, here we come!
September 28, 2017, 06:40:35 PM
#9
Ouch, I just installed Coinomi a few days ago and using it now. Thank you for notifying the community. Will move my coins now to a more secured wallet. I hope they treat this as priority otherwise it will ruin their reputation and the way they handled that guy is very unprofessional. As per twitter:

Quote
We have hundreds of thousands of users reaching out to us, we are unable to respond to every single request right away, esp complex issues
But at least give it a priority otherwise they will lose potential customers.
legendary
Activity: 3080
Merit: 1353
September 28, 2017, 06:34:13 PM
#8
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Hey thanks for the heads up. I'm thinking of using Coinomi but this issue should be fix first. I'll just stick with Electrum for the meantime. This guy has a valid point and calling him FUD'ster and schill is inappropriate. He is helping the community not the other way around.

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.

For the sake of those members you have reading problems.

1. The guy monitored all network traffic while opening the Coinomi app on his phone.
2. He did a search on the captured packets.
3. It ended matching a packet, which when decoded.
4. Is a electrum communication happening in plain text.
5. Following the full TCP stream from start to finish shows the following decoded messages being sent in plain text
6. Basically opening the Coinomi app is broadcasting all Bitcoin addresses in plain text over the network.
7. Meaning none of which are using SSL.

So definitely there are vulnerabilities in their wallet and should be fix ASAP.
full member
Activity: 392
Merit: 102
September 28, 2017, 05:52:05 PM
#7
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Thank you for the heads up... and really thank you for posting in a rational manner.  You posted a link, summarized it, and let us decide whether or not we should take action.  Refreshing change of pace from the FUD posts we get, "ZOMG!  Wallet hacked!!!1 All your BTC scammed!11!!"
legendary
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
September 28, 2017, 03:54:45 PM
#6
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Thanks for sharing it around.I went through the issue raised on their GH page and it seems quite relevant.Even their official contributor isn't sure if they are using an SSL.However,I don't think that issue is likely to broadcast your private keys over the network.From the first couple of comments only the public addresses are being broadcasted.Let's see how this turns out.

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
You have to read the issue from the day it was raised,don't just read the comments.Also check the issues those were referenced in that thread.
legendary
Activity: 2758
Merit: 6830
September 28, 2017, 03:42:30 PM
#5
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
Read the issue posted on GitHub.

"Connecting to these servers shows they are unencrypted without SSL... Does this mean your Android app is making all Electrum requests in plain text?"

"[...] So basically opening the Coinomi app is broadcasting all of my Bitcoin addresses in plain text over the network."

And from this reddit post[1]:

Quote
"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.

It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."

[1] https://www.reddit.com/r/Bitcoin/comments/72lmql/security_warning_coinomi_wallet_transmits_all/
sr. member
Activity: 302
Merit: 250
September 28, 2017, 03:11:35 PM
#4
Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.
legendary
Activity: 1372
Merit: 1005
September 28, 2017, 01:25:06 PM
#3
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);

Quote
Hey all,

We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.

Keep an eye on the ElectrumX repo for a pull request.

Sorry that it took so long to fix.
Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079

Guys are you sure about the issue. I have a friend who is being used this wallet for sometime. I feel fear about this now. Let me clear about thread information to him now.
If the issues has been fixed and we can use it else it would not be good like bit.ac
legendary
Activity: 2758
Merit: 6830
September 28, 2017, 01:09:32 PM
#2
They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);

Quote
Hey all,

We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.

Keep an eye on the ElectrumX repo for a pull request.

Sorry that it took so long to fix.
Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079
staff
Activity: 3500
Merit: 6152
September 28, 2017, 12:49:39 PM
#1
This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).
Jump to: