[Warning] About Coinomi | Bitcointalksearch.org

angelitto74

newbie

Activity: 10

Merit: 2

Quote from: Zocadas on August 16, 2018, 04:50:17 PM

Quote from: jvdp on August 16, 2018, 01:55:23 PM

Quote from: OmegaStarScream on August 14, 2018, 03:06:45 PM

Quote from: Robert12365 on August 14, 2018, 11:55:26 AM

My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/

Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.

I also can't find any bugs (even on my second phone with old androin 4.4). Nothing disappeared, except the Ethereum tokens. Baught some within the Coinomi App (not the built in exchangers), but I forget about them, so that I can't find them. But also therefore exists a solution. Export Ethereum wallet to MEW and the tokens should be visable.

This is an old dBase issue (funds were not affected of course) which is now fixed. All tokens are addable from either +Tokens list (if they're natively listed in the wallet) or the search function in the same page if they are not.

Also note that you don't have to expose your ETH key to mew, as the seed is cross-importable (coinomi to mew, mew to coinomi).

Angelos from Coinomi

OmegaStarScream

staff

Activity: 3500

Merit: 6152

I'm not related to the team, I only made this thread as a warning. I suggest using their Telegram and asking them yourselves.

Zocadas

hero member

Activity: 909

Merit: 508

Quote from: jvdp on August 16, 2018, 01:55:23 PM

Quote from: OmegaStarScream on August 14, 2018, 03:06:45 PM

Quote from: Robert12365 on August 14, 2018, 11:55:26 AM

My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/

Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.

I also can't find any bugs (even on my second phone with old androin 4.4). Nothing disappeared, except the Ethereum tokens. Baught some within the Coinomi App (not the built in exchangers), but I forget about them, so that I can't find them. But also therefore exists a solution. Export Ethereum wallet to MEW and the tokens should be visable.

jvdp

hero member

Activity: 1148

Merit: 523

CryptoTalk.Org - Get Paid for every Post!

Quote from: OmegaStarScream on August 14, 2018, 03:06:45 PM

Quote from: Robert12365 on August 14, 2018, 11:55:26 AM

My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/

Bro almost 10 months and more up so far after you opened this thread! Still is that not confirmed from the dev team of Coinomi, they should check and rectify the bug on their wallet or site right?

Can you check and confirm once again. I have their application on my phone and so far I did not find any issues with the wallet about usages.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: Robert12365 on August 14, 2018, 11:55:26 AM

My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

If you don't see the funds in your wallet after checking your address in a blockexplorer, then you don't have the funds. If you do, It could be a display issue.

Alternatively, I suggest getting in touch with the community/dev team in Reddit or Telegram, can be found on their site (footer): https://www.coinomi.com/

Robert12365

newbie

Activity: 6

Merit: 0

My coinomi wallet has anything coin however not recieving and saying no connection and not showing up on the blockchain .are these coins actuly in my wallet .and verify keeps going up like it still getting spproved ..Mmmmm

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: CryptoRich82 on March 05, 2018, 02:18:20 PM

@Coinomi DEVS Do you have an ETA for Callisto airdrop release? I use yobit too and already have my CLO.

This is not the ANN thread. I suggest checking Twitter for announcements or their Telegram, the CEO is pretty active there.

CryptoRich82

newbie

Activity: 16

Merit: 5

@Coinomi DEVS Do you have an ETA for Callisto airdrop release? I use yobit too and already have my CLO.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: Connemara on February 13, 2018, 04:05:24 AM

Did you export private keys via Coinomi menu? It redirects to webpage... Is it safe or should I use air-gapped machine then?

It's an open source project and you can run it locally in your PC without internet connection If you want to but since the website is forked and hosted by Coinomi, I see no reason on why you should use air gapped machine for that because If you're afraid of Coinomi, then the wallet itself is not open source, they could've stolen your funds already If they wanted to and the same thing applies to a hacker who have access to your phone through a malware.

maeusi

sr. member

Activity: 462

Merit: 254

I went through the steps, posted by coinomi.
https://coinomi.freshdesk.com/support/solutions/articles/29000009717-what-is-the-recovery-tool-and-how-do-i-export-my-private-keys-
As I remeber right I used airplain mode, because the mnemonic converter also works offline.

Connemara

jr. member

Activity: 61

Merit: 6

Quote from: maeusi on February 12, 2018, 10:57:31 PM

Good question. I was also wondering abour the seeds of the different coins. But seperate private keys of every coin can can be exported. I did that for example with ETH to import to myetherwallet.

Did you export private keys via Coinomi menu? It redirects to webpage... Is it safe or should I use air-gapped machine then?

Avirunes

legendary

Activity: 3094

Merit: 1469

Quote from: Dopert on February 12, 2018, 09:42:36 AM

Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh

I once imported my hardware wallet mnemonic phrase into coinomi wallet and it showed me the same BTC address as it was showing in hardware wallet app, same ethereum wallet as in app and same for doge addy as well.

From what I understand is that it loads wallet according to mnemonic phrase and does not contains any separate keys/seeds for each altcoin wallet. Its only that one mnemonic phrase.

maeusi

sr. member

Activity: 462

Merit: 254

Quote from: Dopert on February 12, 2018, 09:42:36 AM

Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh

Good question. I was also wondering about the seeds of the different coins. But seperate private keys of every coin can be exported. I did that for example with ETH to import to myetherwallet.

Dopert

full member

Activity: 350

Merit: 100

Thank you so far. I almost got it. But the Coinomi seed is not particulair of 1 (coin) blockchain. Bip0032 says that the seed is translated trough the masternode.

Is the seed (phrase) of Coinomi a bundel of seeds of diffrent coins you are holding in your wallet? I mean Coinomi has no masterode, so where does the unfoulding/translating of the Coinomi seed take place if it contain several blockchain seeds/keys Huh

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Dopert on February 08, 2018, 06:47:48 PM

are the Coinomi phrases stored on thier server?

No. Your private-keys are generated based on your seed - which only you have. Nothing is ever sent to a server.

Quote

A deterministic wallet is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key.

More: Coinomi is a Hierarchical Deterministic (HD) wallet. What excactly does that mean?

gamerfan

hero member

Activity: 766

Merit: 501

BUY BITCOIN WITH PAYPAL AND CREDIT CARDS

Quote from: Dopert on February 08, 2018, 06:47:48 PM

The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh

Coinomi is a light-weight wallet so doesn't need to download the whole blockchain.
Your private key is not stored on their server. Your private keys never leave your device actually.

Dopert

full member

Activity: 350

Merit: 100

The Coinomi Phrase (the wallet private key) holds all your private keys from your used coins in the Coinomi wallet.

Normally a phrase or private key is stored in the blockchain of the coin in question. Sofar i know Coinomi has not his own blockchain, so are the Coinomi phrases stored on thier server?

Can anybody fill me in Huh

Connemara

jr. member

Activity: 61

Merit: 6

Sooooo, as for February 2nd, what's the security status of Coinomi?
Can someone with a better technical knowledge can add sth. to this topic?

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: jtipt on December 27, 2017, 11:27:36 PM

Yes I would also like to know if there have been any recent developments on this situation.

Looks like they fixed it. However they never admitted that this was an issue, so there was no official statement.

Quote from: /u/udyslexiccoder

Coinomi pushed an update to the Google Play Store on 4th October (v1.7.7) which appears to now be using SSL.

https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/do0g5tf/

That's all Coinomi has said about the issue:

Quote from: /u/Coinomi

As we previously stated, we put Coinomi to the test and found that connections to the back-end servers are secured with SSL. There isn't any address leakage anywhere in our app. Thanks.

https://www.reddit.com/r/litecoin/comments/74ay4r/can_anyone_confirm_this_re_the_coinomi_ssl_issue/dnyre14/

jtipt

hero member

Activity: 1050

Merit: 529

Quote from: TraderInc on December 14, 2017, 10:56:11 AM

Was this ever resolved ?

Yes I would also like to know if there have been any recent developments on this situation.

bribed

full member

Activity: 238

Merit: 100

Oh, good that you made us aware, thanks for that. I was about to set up a wallet, but wont go this route now. Also I dont like this unprofessional behavior, they should be rather thankful to this developer because he made them aware of a security risk. I dont understand some people.

TraderInc

full member

Activity: 406

Merit: 109

Was this ever resolved ?

just heard about coinomi and was wanting to try it out.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Zocadas on October 07, 2017, 04:54:54 PM

As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?

I don't think so. Doesn't look like Coinomi thinks this is a security issue - just like what happened with Jaxx a few months ago. They even changed the title of the issue from Security Vulnerability: Coinomi transmits all data in plain text to Coinomi transmits all data in plain text.

Quote from: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332805028

We never lied, there isn't any security implication associated with your findings. And we haven't ignored you so please stop making this personal. Unless you have something constructive to add to this, this thread will be locked.

Quote from: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332801855

If you feel uncomfortable with the way Coinomi inquires the blockchains you may as well use a VPN service (there are several good solutions for Android) until SSL is included in a feature releases.

Zocadas

hero member

Activity: 909

Merit: 508

As I understood right, the issue is fixed now, isn't it or should we move our coins away from old addresses?

peter0425

sr. member

Activity: 2618

Merit: 439

Quote from: Kemarit on October 07, 2017, 12:51:14 PM

Quote from: Coinomi on October 07, 2017, 12:42:46 PM

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

Quote from: Coinomi on October 05, 2017, 05:32:50 PM

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.

Agreed. Until the issue is fix and has been confirmed by other users I will still not getting you wallet. A lot has been discussed about the issue not only here but it twitter sphere and reddit. A official statement coming from you guys will qualms all fears about your wallet. And please inform as well the individual who have found the vulnerability and let him do another testing run so that there's no doubt that the issues is fix already.

Kemarit

legendary

Activity: 3080

Merit: 1353

Quote from: Coinomi on October 07, 2017, 12:42:46 PM

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

Ok fair enough. You should make it official so that all this questions about the vulnerability of your wallet could be address. Its been what more than 2 weeks now since the report has been reported and we haven't seen any reply from you guys. You can't just go here and post:

Quote from: Coinomi on October 05, 2017, 05:32:50 PM

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I like Coinomi. But don't let this issue ruin your reputation. At least a official statement will be enough for your users and potential users. So the feeling of doubt about your services can be cleared.

Coinomi

newbie

Activity: 52

Merit: 0

We are going to make an official announcement as to what really happened here once our investigation is through, thank you.

sylance

full member

Activity: 392

Merit: 102

Quote from: Coinomi on October 05, 2017, 05:32:50 PM

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

I don't know if this is an official response, but if it is... great that you've updated to SSL. However, this has moved way beyond the SSL issue and is more about the response to the potential security issue. You probably should huddle up as a leadership team and figure out how to recover the disaster your social team created.

Coinomi

newbie

Activity: 52

Merit: 0

We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.

maydna

hero member

Activity: 2912

Merit: 556

Enterapp Pre-Sale Live - bit.ly/3UrMCWI

i hope the dev will fix the problem so we can still using the wallet. its too bad to hear this news because i save the coins into coinomi and thank you for giving this info. i am trying to thinking to move my coins into another wallet if there is not any update from the dev. but i realize there is no guarantee for every wallet that will be 100% secure.

HippiePyro

full member

Activity: 490

Merit: 107

A non technical guy in a technical world

Well this is not good news. I hope they get it fixed. Coinomi is where my first wallets am from, still have them too

cpfreeplz

legendary

Activity: 966

Merit: 1042

Quote from: TryNinja on September 28, 2017, 04:42:30 PM

Quote

"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.

It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."

Woah that just blew my mind. I had no idea man-in-the-middle attacks could even happen with bitcoin transactions! Holy crap this is like getting DDOSed right at the wrong moment to screw you over and steal your bitcoins.

pinkflower

sr. member

Activity: 868

Merit: 259

Quote from: OmegaStarScream on September 29, 2017, 01:08:35 PM

Quote from: jtipt on September 28, 2017, 11:27:33 PM

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

No they are putting the Jaxx hack out of context. It could be the person who reported it transferred his own funds to another wallet and claimed he has hacked. In fact the report was questionable because it was made right after the discovery that your Jaxx seeds could be extracted in plain text.

The private keys are not stored in their servers. Please read up on it before you post. Its easy.

LTU_btc

legendary

Activity: 3178

Merit: 1363

Slava Ukraini!

Oh, that's very unprofessional PR. But as I understand, this is only privacy issue and our coins are safe, because only bitcoin adresses, not private keys broadcasted over the network. But it must be fixed.
Coinomi was my favourite wallet for Android, because they support many coins, not like Jaxx or Exodus. I hope this privacy issue will be fixed, because I don't see any good alternatives for Coinomi.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Patatas on September 30, 2017, 02:04:03 AM

Quote from: jtipt on September 30, 2017, 12:02:51 AM

Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.

Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'.

Why? AFAIK Jaxx only major issue was the possibility of extraction of the seed that was stored decrypted. But keep in mind that even if that's a major issue, this can only be explored if someone got access to your phone and can break through your lock screen. While Coinomi will transmit all your Bitcoin addresses - not private keys or any critical information that may expose your coins to hackers - without any SSL.

While Exodus is still kinda safe. Any wallet may be an "unsafe" if you're not careful with your OS. Even while using Electrum, you may lose your coins if you have a malware on your computer.

jhenfelipe

hero member

Activity: 1372

Merit: 647

Oh I missed this news. Fortunately, the one on reddit is still there because the page on github have been taken down already. I've been using coinomi wallet for months now, tbh I used it yesterday for few transactions.

I visited their twitter page and saw that they will be giving their official statement about the issue in few days [LINK]. I'll wait for that statement first, I hope we could see it soon. Bad move of blocking that person though.

Patatas

legendary

Activity: 1750

Merit: 1115

Providing AI/ChatGpt Services - PM!

Quote from: OmegaStarScream on September 29, 2017, 01:08:35 PM

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

I would not recommend a Desktop wallet built on Electron to anyone.If you know how electron works,their source code is installed on the desktop since it doesn't make any native apps and only runs an instance of a chrome browser on a windows PC.Code security is none,I don't even know how people trust such apps wit their private keys.

Quote from: jtipt on September 30, 2017, 12:02:51 AM

Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.

Don't.Exodus is equally prone to all those vulnerable hacks and certainly doesn't belong in the category of 'Safe Wallets'.

Maum

full member

Activity: 250

Merit: 106

What is so bad on the way, addresses are shown? As long as they son't publish the keys ....

jtipt

hero member

Activity: 1050

Merit: 529

Quote from: OmegaStarScream on September 29, 2017, 01:08:35 PM

Quote from: jtipt on September 28, 2017, 11:27:33 PM

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

Nah I don't want to use Jaxx, have heard about it before no point of switching to a wallet already with a history of hacks. Would check out exodus. Thanks.

peter0425

sr. member

Activity: 2618

Merit: 439

Quote from: OmegaStarScream on September 29, 2017, 01:08:35 PM

Quote from: jtipt on September 28, 2017, 11:27:33 PM

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

I would rather wait for the vulnerability to get fix by Coinomi instead of going to Jaxx which has history of hacks. Of course there is the ever reliable Electrum however, it only supports bitcoin though.

Quote from: hahay on September 29, 2017, 05:36:30 PM

Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!

Yes, I have coinomi wallet and I'm pretty disappointed with the way they handle the issues. Although I only hold small amounts of altcoins in my wallet, but still this is a scary one seeing you address transmitted in plain text across the network.

hahay

legendary

Activity: 3486

Merit: 1055

Leading Crypto Sports Betting & Casino Platform

Thank you for this information, in fact I have never used a coinomi wallet, this information will be very helpful for those who use the coinomi wallet. I hope this problem can be resolved quickly so as not to harm the person who has trusted and used the coinomi wallet. Watch Out!

maeusi

sr. member

Activity: 462

Merit: 254

If we want to stay mobile, the best would it be then, to generate mind or paper wallets. We could maybe use coinomi only for transfers. Would that be a solution?

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: jtipt on September 28, 2017, 11:27:33 PM

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

You have Exodus which support multiple coins as well but they only work in Desktop for the moment and there is Jaxx which you probably heard of before but they also faced a hack in the past (I believe private keys are stored in their servers) but they support phones so It's up to you.

pinkflower

sr. member

Activity: 868

Merit: 259

This does not look good. This is the mobile wallet I use and this is what I recommend that everyone use. I know that there will always be vulnerabilities in any software but its the handling of the situation that had me peeved. I hope they fix it and behave more professionally next time.

jtipt

hero member

Activity: 1050

Merit: 529

Quote from: Reatim on September 28, 2017, 07:40:35 PM

Ouch, I just installed Coinomi a few days ago and using it now.

Yeah same here. It seemed like the best mobile wallet to store altcoins.

Quote from: OmegaStarScream on September 28, 2017, 01:49:39 PM

This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Have you found some reliable alternatives for it? Because I found Coinomi after searching a lot.

Reatim

sr. member

Activity: 2828

Merit: 357

Eloncoin.org - Mars, here we come!

Ouch, I just installed Coinomi a few days ago and using it now. Thank you for notifying the community. Will move my coins now to a more secured wallet. I hope they treat this as priority otherwise it will ruin their reputation and the way they handled that guy is very unprofessional. As per twitter:

Quote

We have hundreds of thousands of users reaching out to us, we are unable to respond to every single request right away, esp complex issues

But at least give it a priority otherwise they will lose potential customers.

Kemarit

legendary

Activity: 3080

Merit: 1353

Quote from: OmegaStarScream on September 28, 2017, 01:49:39 PM

This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Hey thanks for the heads up. I'm thinking of using Coinomi but this issue should be fix first. I'll just stick with Electrum for the meantime. This guy has a valid point and calling him FUD'ster and schill is inappropriate. He is helping the community not the other way around.

Quote from: Fidemoga on September 28, 2017, 04:11:35 PM

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.

For the sake of those members you have reading problems.

1. The guy monitored all network traffic while opening the Coinomi app on his phone.
2. He did a search on the captured packets.
3. It ended matching a packet, which when decoded.
4. Is a electrum communication happening in plain text.
5. Following the full TCP stream from start to finish shows the following decoded messages being sent in plain text
6. Basically opening the Coinomi app is broadcasting all Bitcoin addresses in plain text over the network.
7. Meaning none of which are using SSL.

So definitely there are vulnerabilities in their wallet and should be fix ASAP.

sylance

full member

Activity: 392

Merit: 102

Quote from: OmegaStarScream on September 28, 2017, 01:49:39 PM

This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Thank you for the heads up... and really thank you for posting in a rational manner. You posted a link, summarized it, and let us decide whether or not we should take action. Refreshing change of pace from the FUD posts we get, "ZOMG! Wallet hacked!!!1 All your BTC scammed!11!!"

Patatas

legendary

Activity: 1750

Merit: 1115

Providing AI/ChatGpt Services - PM!

Quote from: OmegaStarScream on September 28, 2017, 01:49:39 PM

This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Thanks for sharing it around.I went through the issue raised on their GH page and it seems quite relevant.Even their official contributor isn't sure if they are using an SSL.However,I don't think that issue is likely to broadcast your private keys over the network.From the first couple of comments only the public addresses are being broadcasted.Let's see how this turns out.

Quote from: Fidemoga on September 28, 2017, 04:11:35 PM

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.

You have to read the issue from the day it was raised,don't just read the comments.Also check the issues those were referenced in that thread.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Fidemoga on September 28, 2017, 04:11:35 PM

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.

Read the issue posted on GitHub.

"Connecting to these servers shows they are unencrypted without SSL... Does this mean your Android app is making all Electrum requests in plain text?"

"[...] So basically opening the Coinomi app is broadcasting all of my Bitcoin addresses in plain text over the network."

And from this reddit post[1]:

Quote

"This has privacy issues, meaning I can view all of your addresses and see how many coins you have, which addresses you're sending them to and which addresses you received them from.

It could also potentially open you up to a replay attack. e.g I ask you to pay me 1 BTC. I run a man in the middle attack meaning all your requests go through a computer I control before getting to Coinomi (this is possible because they aren't using SSL). I can then choose to stop the payment getting through. I say, I didn't get the payment. You can verify on the blockchain and in your client that the payment really hasn't gone through. You send it again and I receive the payment. Then at a later date I can re-send the original payment I captured which is still a valid transaction and I will receive another payment of 1BTC."

[1] https://www.reddit.com/r/Bitcoin/comments/72lmql/security_warning_coinomi_wallet_transmits_all/

Fidemoga

sr. member

Activity: 302

Merit: 250

Sorry, but don't understand, what's the issue. Are seeds or private keys of all addresses published? Only see responses, not the issue itself.

xIIImaL

legendary

Activity: 1372

Merit: 1005

Quote from: TryNinja on September 28, 2017, 02:09:32 PM

They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);

Quote

Hey all,

We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.

Keep an eye on the ElectrumX repo for a pull request.

Sorry that it took so long to fix.

Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079

Guys are you sure about the issue. I have a friend who is being used this wallet for sometime. I feel fear about this now. Let me clear about thread information to him now.
If the issues has been fixed and we can use it else it would not be good like bit.ac

TryNinja

legendary

Activity: 2758

Merit: 6830

They handled the situation very badly by ignoring the issue for days and acting like a child at twitter, but the good news is that they plan to fix those issues (incase you still want to use Coinomi);

Quote

Hey all,

We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.

Keep an eye on the ElectrumX repo for a pull request.

Sorry that it took so long to fix.

Source: https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332519079

OmegaStarScream

staff

Activity: 3500

Merit: 6152

This is a heads up for those who don't browse Reddit frequently and are not aware of the current situation: https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/
The developer who found the exploit was accused of spreading FUD by Coinomi and they also blocked him from Twitter even though he posted this almost two weeks ago: https://github.com/Coinomi/coinomi-android/issues/213 I would advice everyone to stop using their wallet for the meantime, I'm sure you could find better alternatives until this get fixed (If they ever do it).

Topic: [Warning] About Coinomi (Read 2137 times)