Pages:
Author

Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 2. (Read 2120 times)

legendary
Activity: 3556
Merit: 7011
Top Crypto Casino
But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.
I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

And yeah, I agree with the other folks who are recommending hardware wallets, which would have been an infinitely better choice for storing altcoins than Coinomi--but bringing that up doesn't help OP in any way and I'm sure he knows it now.  This really sucks for him, and even though the hack happened a while back it's got to still sting.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on ther android wallet (if i recall right).

Agreed. But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.

It's important their shitty practices get highlighted and addressed. It's everything that's come after I don't buy.
full member
Activity: 670
Merit: 130
Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.

Well if you work at google and have access (physical or not) to where these data are being kept i believe you are capable of creating a script extracting the data you want.

The whole point was that their Desktop Wallet was sending clear text seed phrases, instead of saying sorry and fix this they responded like the older incident with their mobile wallet not using SSL.....blaming the guy who found the vulnerability and informed them....

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on their android wallet (if i recall right).
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.
full member
Activity: 670
Merit: 130
Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.

Sure, you look like you've read the story  Roll Eyes

If you want a real good bollocks story except from scientology or any other religion you can take Coinomi's replies and paid reports.

Anyway, i hope this ends to court cause the guy will surely win.

Facts are facts no matter how many lies and false reports you spread.
Coinomi was unlucky cause the guy is not a simple crypto user that would take the loss and didnt know what to do, say or support.
The guy is a security analyst and if you compare what both sides state and the way they do it, its clear who is wrong and who is right.
If you have the tech knowledge to understand what either side claims then i would say its crystal clear.

 Kiss love and hugs
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.
full member
Activity: 670
Merit: 130
Just noticed there is a third statement of warith  

Long story short, Coinomi hired a "cyber-security firm" named CipherBlade (that means Coinomi paid that firm money to make a report) and they concluded what Coinomi supports is right ( Grin Grin Roll Eyes )
haha how fuckin convenient is that.

If you actually read the objective  Grin Grin Grin report and have basic security knowledge you will....laugh hard or cry.
Its more like a paid article that shils a shitcoin than a technical paper explaining what happened or might happened while most of the arguments have already answered on the 1st and 2nd statements.

Its tragic that Coinomi still trying to spread lies and false reports while spending money on the latter instead of just saying sorry and pay back the man.

If CipherBlade is a cyber-security firm, i am manbearpig.

Anyway you can read the third statement of warith here and judge for yourselves --> https://www.avoid-coinomi.com/#overview-3rd-statement

its a free for all world afterall.


member
Activity: 700
Merit: 27
Sovryn - Brings DeFi to Bitcoin
I wonder how that happens because I've been using mine since 2016 and no issue at all but not the windows version though ,I'm using the mobile wallet only
member
Activity: 700
Merit: 14
From what I see, I think Coinomi will not pay the stolen funds as they are only a wallet provider and it's up to the user how he uses it. Not sure who the hell it got hacked since I can't spend all my time watching the vid. I just went on reading their conversation with Coinomi. For the bounty reward, OP deserves that since it's major.

I never use these mobile wallets, like Coinomi, because I have a strong feeling from the very beginning that they are prone to attacks since everyone just gives permission whenever they install an application. Virus spreads easily too so I never store such amounts. I prefer using a brand new hardware wallet for full encryption and away from viruses and malwares.
newbie
Activity: 52
Merit: 0
We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

You can save readers a few steps by just posting the Medium article:

https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

It spends too much time talking about the behavior of the victim, which isn't necessarily relevant, though the article does provide some blockchain forensics to show that the coins may have been taken through malware. How do we know the malware doesn't exploit the bug identified by Al Maawali and patched immediately after by Coinomi? Were there apparent hackings conducted after the bug was fixed? The article doesn't mention this.

While it sounds like malware was likely involved, there could still have been an oversight error on the part of Coinomi.

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

I agree that the chances of Google being in on it are slim to nonexistent.


Actually it does: "Most crucially, however, the first two incoming transactions into the Consolidation Wallet happened in October 2018, well before the Coinomi desktop app was even released (which was December 31 2018).". In plain English, the hackers group that stole the OP's coins and the very wallet that they have used to consolidate funds has been active months before the 1st version of Coinomi Desktop was ever released. This alone is a proof that the OP has been lying all along about the circumstances under which his wallet was emptied.
full member
Activity: 657
Merit: 100
Very sad for your life saving whole asset stolen. 60k$-70k$ is really massive amount i think it's your bad decision to hold in Coinomi wallet.
Because a lot of safe wallet if you can use like one of them hardware wallet is huge safe from coinomi wallet.
hero member
Activity: 2562
Merit: 577
Such a horrible experience you must have had, this is bad if we can't be safe with our funds on exchange and now in wallets too? Till now, never thought something like this could happen with a personal wallet of which you hold the recovery phrase or key, but with this unfortunate situation of yours makes have a second thought about the wallet i keep my funds, i don't want to imagine this happening Shocked
I hope to you can recover your money sooner than later.
hero member
Activity: 1218
Merit: 534
Makes me sick how very few people are even held responsible for their actions.  They just forget about it and show no sympathy for the losses they caused.   I've gotten to a point where it is hard to trust anyone after seeing all these hacks, scams, and phishers.
legendary
Activity: 3010
Merit: 8114
We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

You can save readers a few steps by just posting the Medium article:

https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

It spends too much time talking about the behavior of the victim, which isn't necessarily relevant, though the article does provide some blockchain forensics to show that the coins may have been taken through malware. How do we know the malware doesn't exploit the bug identified by Al Maawali and patched immediately after by Coinomi? Were there apparent hackings conducted after the bug was fixed? The article doesn't mention this.

While it sounds like malware was likely involved, there could still have been an oversight error on the part of Coinomi.

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

I agree that the chances of Google being in on it are slim to nonexistent.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688



Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

All the same it's pisspoor practice and I wouldn't keep anything other than shitcoins on there. You don't know what'll pop up next.
newbie
Activity: 7
Merit: 0
We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

legendary
Activity: 1512
Merit: 1004
Security first in Crypto world.
full member
Activity: 670
Merit: 130
I have published my second official statement regarding Coinomi "Spell Check" scandal

You can read the new statement from the following link (video included):
https://twitter.com/warith2020/status/1102445902353043456

Your video response is decent and fully explanatory. Even kids can understand this.
Maybe coinomi should hire you to handle not only their incompetence but learn a few things as well.
I hope this will go to the authorities.
hero member
Activity: 1680
Merit: 655
I have published my second official statement regarding Coinomi "Spell Check" scandal

You can read the new statement from the following link (video included):
https://twitter.com/warith2020/status/1102208448236847107
Nice way to get back and reply at Coinomi's Medium post, I wasn't convinced on how they answered the vulnerability issues especially when they have evaded a lot of your points in your blog post, they haven't even mentioned anything about the "legal implications" they are threatening you if you disclose the vulnerability issue to the web. So far you have 114 views in your video maybe if this goes viral Coinomi will be pressured to reimburse your loss fund and the rest of the users who are affected.
full member
Activity: 420
Merit: 106
Damm all your life savings gone very sad thing to happen. But as you said you were used to software wallets since 2013 which costed you this seriously you could've used a better alternative such as an offline wallet by ledger of some other then you wouldn't have had to face this. Hope you get a satisfactory answer from coinomi.
Pages:
Jump to: