I have published my second official statement regarding Coinomi "Spell Check" scandal
You can read the new statement from the following link (video included):
https://twitter.com/warith2020/status/1102445902353043456
Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 3. (Read 2106 times)
March 03, 2019, 09:47:23 AM
March 01, 2019, 11:45:51 AM
Coinomi reply to this disheartening loss is worrisome and it calls for grave concern for professionalism in financial management, trying to bully one in other not to cry out is circumventing. Sorry for the enormous loss, I hope you seek a refund through a calculated litigation, and hope you get justice quick. Just a word "It is good not to leave huge fund in a single wallet".
March 01, 2019, 11:31:46 AM
The replies from coinomi are very conercning and I would recommend that no one use this wallet anymore. There is just too much risk at this point, please keep your funds stored offline for optimal safety.
March 01, 2019, 09:14:16 AM
Ivan on Tech - ALL HODLERS BEWARE! INSIDER JOB?
Programmer explains
https://www.youtube.com/watch?v=5WgD8YOqfLM
Programmer explains
Quote
A person lost their life savings from the COINOMI crypto currency wallet. Today we talk about how that hack happened exactly, how COINOMI let this happen and what the likely chain of events was. Another important aspect is how COINOMI responded to this issue and communicated this to the public. We will also discuss the fact that many miners mine empty blocks and why they do it.
https://www.youtube.com/watch?v=5WgD8YOqfLM
February 28, 2019, 10:46:31 PM
I read about this vulnerability online, and one article was skeptical about your claims, but I take no side in this dispute as I am not involved. I hope, if your story is true, that you will be able to get your funds back through litigation. I think one lesson we all can learn from this is not to trust the Google cloud for storing highly sensitive financial or personal information.
February 28, 2019, 10:29:01 PM
I don't know who controls that Twitter account, but their response is really unprofessional imo. Starting from threatening to framing people just because they take part in how their vulnerability spread out to the public. I think any sane person won't use their wallet anymore, not only it's a closed source, but also because they have a terrible PR.
Probably their management (founders). As I said in my original post:
Quote
It seems the founders are the developers of the application and they don’t like anyone who criticizes their ugly baby creation “Coinomi” wallet. They think that they are the code gurus fallen from the heavens who write perfect code.
They took everything at personal level and that's very clear in their tweets!
February 28, 2019, 10:07:47 PM
I don't know who controls that Twitter account, but their response is really unprofessional imo. Starting from threatening to framing people just because they take part in how their vulnerability spread out to the public. I think any sane person won't use their wallet anymore, not only it's a closed source, but also because they have a terrible PR.
February 28, 2019, 09:02:34 PM
As you know Coinomi has announced their official sloppy response and it was very clear how they diverted they whole situation into "blackmailing" thing.
They focused on my personal image and hired some of their trolls to trash-talk me on social media (especially Twitter because it's less moderated).
They tried to run away from responsibility and portray that the vulnerability is "harmless" (based on their hired trolls). Moreover, they kept deleting some of their tweets when got striked by facts.
Here are some examples of how childish, unprofessional and misleading their tweets are:
https://twitter.com/warith2020/status/1101054666232745984
https://twitter.com/warith2020/status/1101055824368148480
https://twitter.com/warith2020/status/1101057557010006016
https://twitter.com/warith2020/status/1100898781598531591
https://twitter.com/warith2020/status/1101135909481861120
They even literally blackmailed a know community member by legal actions to limit his freedom of speech because he expressed his "technical" thoughts:
https://twitter.com/warith2020/status/1101048089626984449
I have never ever seen a company with that kind of attitude and to me they lost all credibility. If you still trust them with your crypto-assets then I wish you all the best luck.
Finally, I will be posting my official response to their official announcement very soon. It will answer all the questions raised by the community and will contain some exciting evidences on my claims.
To stay calm and have some LOLs check out this Coinomi's Meme (classic & original):
https://twitter.com/dukeleto/status/1100696093673824256
They focused on my personal image and hired some of their trolls to trash-talk me on social media (especially Twitter because it's less moderated).
They tried to run away from responsibility and portray that the vulnerability is "harmless" (based on their hired trolls). Moreover, they kept deleting some of their tweets when got striked by facts.
Here are some examples of how childish, unprofessional and misleading their tweets are:
https://twitter.com/warith2020/status/1101054666232745984
https://twitter.com/warith2020/status/1101055824368148480
https://twitter.com/warith2020/status/1101057557010006016
https://twitter.com/warith2020/status/1100898781598531591
https://twitter.com/warith2020/status/1101135909481861120
They even literally blackmailed a know community member by legal actions to limit his freedom of speech because he expressed his "technical" thoughts:
https://twitter.com/warith2020/status/1101048089626984449
I have never ever seen a company with that kind of attitude and to me they lost all credibility. If you still trust them with your crypto-assets then I wish you all the best luck.
Finally, I will be posting my official response to their official announcement very soon. It will answer all the questions raised by the community and will contain some exciting evidences on my claims.
To stay calm and have some LOLs check out this Coinomi's Meme (classic & original):
https://twitter.com/dukeleto/status/1100696093673824256
February 28, 2019, 05:03:26 PM
Unquestionably slack on Coinomi's part, but I don't believe anyone at Google helped themselves to the seed and I don't think this thread would exist if this vulnerability hadn't been sprayed all over the news.
Either this thread is fantasy or the seed was picked up by someone else by other means.
Either this thread is fantasy or the seed was picked up by someone else by other means.
February 28, 2019, 01:32:36 PM
I am really sorry for your loss OP and hope you will be able to get your funds back.
Still, don't understand why OP used this same password/seed words for two different wallets?
From what I know rule number one is to use different passwords/seed words always.
If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?
How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.
Still, don't understand why OP used this same password/seed words for two different wallets?
From what I know rule number one is to use different passwords/seed words always.
If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?
How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.
Re-read the OP's post... He had some tokens (probably ERC20 tokens) that were sent to him but were not supported by his exodus wallet. Since he wanted to manipulate these tokens, he had to enter his seed phrase in a compatible wallet that did support these tokens. If he would have created a new seed phrase in coinomi he wouldn't have been able to manipulate the tokens that were sent to an address generated by his exodus wallet.
As for the second part of your question: there are 2048 words in the dictionary... A simple parser looking for a 12 or 24 words phrase consisting of solely words from this dictionary would suffice.
I used coinomi to keep some spending money, but i have moved everything but tBTC and tLTC from coinomi and i'll never use the application again, ever... It's not just the fact that they had a vulnerability, it's the way they behaved afterwards.
Thank you very much for this explanation. Of course, a little merit for you.
This is something new for me despite I am using tokens from start and have multiple holdings. Maybe because I have never used wallets like Coinomi so far.
Never trusted them and from what I see I am totally right.
Even the best online wallet today can be vulnerable tomorrow because of a service update he depends on. Even such one as spelling check. This is something to think about if anybody will try to use these wallets. I haven't even mention dangers like malicious insiders or hackers.
February 28, 2019, 01:21:33 PM
This example is just showing that security is on the key issues you should be aware of. Unfortunately many users ignore safety issues and don't pay enough attention what kind of wallets and exchanges they use and how can they protect themselves. Learn from such mistakes and take care of your coins, don't think such things happen to someone else.
February 28, 2019, 11:54:35 AM
I think the fault is from your end ,spyware is already on your pc and the moment you type in your passphrase the spyware hijacked your keys ,I'm using coinomi wallet presently with huge funds inside,but the actual real safest way is storing coins offline
So don't be supprised and say you weren't warned when your wallet gets drained some day...
February 28, 2019, 11:49:29 AM
Basically, I have long felt unsure about coinomi security. After reading this, my distrust became stronger. Hopefully this can be a warning for anyone to be more careful in storing crypto assets
February 28, 2019, 11:02:32 AM
I think the fault is from your end ,spyware is already on your pc and the moment you type in your passphrase the spyware hijacked your keys ,I'm using coinomi wallet presently with huge funds inside,but the actual real safest way is storing coins offline
February 28, 2019, 10:20:10 AM
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
Your response is a joke (again).
You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.
fuckin users how could they configure your systems so fuckin wrong eh??
According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google
-Dave
Hi Dave,
My SSL comment is about 2017 incident on their mobile client. They hadn't enable SSL connection resulting in a clear text communication between the client app and the servers. They only thing they had to do back then is to just turn it on in their configuration. Another's user fault eh?
You can do your own research of what i'm talking about.
https://cryptoble.win/2017/09/30/vulnerability-coinomi-devs-retaliate/
Quote
On 16 September 2017, Luke Childs had went to Coinomi’s Github to alert them of an issue where Coinomi was connecting to ElectrumX servers in plain text (i.e. without SSL encryption).
Funny fact? their reaction is pretty much similar with today's reaction.
They attacked Luke Childs instead of thanking him and they stated that he spreads FUD while they enabled SSL connection on their mobile app.
Now, where is the suicide emoticon when you need it.
Gotcha, I was only looking at what was going on now, did not even remember the 2017 issue.
Some people are saying that the desktop wallet did connect w/o SSL others are saying yes. All I can say is what I saw.
-Dave
February 28, 2019, 09:52:53 AM
I am really sorry for your loss OP and hope you will be able to get your funds back.
Still, don't understand why OP used this same password/seed words for two different wallets?
From what I know rule number one is to use different passwords/seed words always.
If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?
How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.
Still, don't understand why OP used this same password/seed words for two different wallets?
From what I know rule number one is to use different passwords/seed words always.
If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?
How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.
Re-read the OP's post... He had some tokens (probably ERC20 tokens) that were sent to him but were not supported by his exodus wallet. Since he wanted to manipulate these tokens, he had to enter his seed phrase in a compatible wallet that did support these tokens. If he would have created a new seed phrase in coinomi he wouldn't have been able to manipulate the tokens that were sent to an address generated by his exodus wallet.
As for the second part of your question: there are 2048 words in the dictionary... A simple parser looking for a 12 or 24 words phrase consisting of solely words from this dictionary would suffice.
I used coinomi to keep some spending money, but i have moved everything but tBTC and tLTC from coinomi and i'll never use the application again, ever... It's not just the fact that they had a vulnerability, it's the way they behaved afterwards.
February 28, 2019, 09:39:18 AM
What I do not understand is, why Coinomi need to spell check your seed phrase on googleapis.com? Is this done on purpose to blame external factors, when someone within the company used this "backdoor" and get caught?
I have always said that centralized wallet providers and exchanges should never be trusted with your life savings. DO NOT put all your eggs in one basket. <80%+ of my hoard are stored on Cold wallets & Hardware wallets and only 20% are stored on different centralized services for daily access>
I have always said that centralized wallet providers and exchanges should never be trusted with your life savings. DO NOT put all your eggs in one basket. <80%+ of my hoard are stored on Cold wallets & Hardware wallets and only 20% are stored on different centralized services for daily access>
this is what I think happened. They are using google as someone to blame when they are really just using the backdoor themselves. I doubt someone from google would be be responsible for this. I'm not saying its impossible but very unlikely.
February 28, 2019, 09:11:07 AM
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
You really think as wallet users, we'll say ah, this was "not a bug but a bad config option"?yeah that official response was extremely unprofessional. just based on that alone i will never use a coinomi wallet.
and they use a plugin? on something that could hold huge amounts of money? and then not even bother to check it and its configuration thoroughly before releasing it? seriously??
February 28, 2019, 08:49:06 AM
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
Your response is a joke (again).
You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.
fuckin users how could they configure your systems so fuckin wrong eh??
According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google
-Dave
Hi Dave,
My SSL comment is about 2017 incident on their mobile client. They hadn't enable SSL connection resulting in a clear text communication between the client app and the servers. They only thing they had to do back then is to just turn it on in their configuration. Another's user fault eh?
You can do your own research of what i'm talking about.
https://cryptoble.win/2017/09/30/vulnerability-coinomi-devs-retaliate/
Quote
On 16 September 2017, Luke Childs had went to Coinomi’s Github to alert them of an issue where Coinomi was connecting to ElectrumX servers in plain text (i.e. without SSL encryption).
Funny fact? their reaction is pretty much similar with today's reaction.
They attacked Luke Childs instead of thanking him and they stated that he spreads FUD while they enabled SSL connection on their mobile app.
Now, where is the suicide emoticon when you need it.
February 28, 2019, 08:23:51 AM
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
You might have seen LoyceV's quote from your official statement. It pretty much sums up how most of us would feel about this. I'm not even concerned about whose fault it is (without fully understanding the evidence) but it concerns me every time someone in this space responds the way you guys did.
You really think as wallet users, we'll say ah, this was "not a bug but a bad config option"?
Jump to: