WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 4.

jseverson

hero member

Activity: 1834

Merit: 759

Quote from: nutildah on February 28, 2019, 07:26:54 AM

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

That would be because giving away money when you don't actually have to is bad business. It's possible that they would have compensated him if things didn't get this ugly, but there's absolutely no way they would give him anywhere near the amount he lost. They would spend a lot less money by simply letting it out on the open and then doing damage control than by fully reimbursing him.

It sucks but this is our current reality. Being your own bank is incredible but it has drawbacks. The only real safe way to store your coins is offline.

DaveF

legendary

Activity: 3458

Merit: 6231

Crypto Swap Exchange

Quote from: Pon13 on February 28, 2019, 03:32:13 AM

Quote from: fer_coinomi on February 27, 2019, 12:59:38 PM

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh?? Roll Eyes

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave

Kemarit

legendary

Activity: 3080

Merit: 1353

Quote from: nutildah on February 28, 2019, 07:26:54 AM

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

Exactly, the way Coinomi treated their customer is not what we expected them to do. Of course how can the guy cooperate with them when he just lost all of his savings from their incompetency. And now their turning tables and blaming the person for being non-cooperated and now they wanted him to be the bad actor here? Not professional @Coinomi.

wwzsocki

legendary

Activity: 2744

Merit: 1708

First 100% Liquid Stablecoin Backed by Gold

I am really sorry for your loss OP and hope you will be able to get your funds back.

Still, don't understand why OP used this same password/seed words for two different wallets?

From what I know rule number one is to use different passwords/seed words always.

If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?

How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.

nutildah

legendary

Activity: 2982

Merit: 7986

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

Pon13

full member

Activity: 670

Merit: 130

Quote from: fer_coinomi on February 27, 2019, 12:59:38 PM

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh?? Roll Eyes

Baofeng

legendary

Activity: 2576

Merit: 1655

This issue is out of the open already:

https://cryptoslate.com/security-consultant-reveals-coinomi-wallet-vulnerability-60000-in-crypto-allegedly-hacked/

Anyways, I have nothing against the OP, so maybe he can shed light to this:

Quote

Moreover, Coinomi claims that Maawali would not co-operate unless he was compensated:

“[He] refused to disclose his findings and kept [sic] threatened to take (the matter) public” unless payment of 17 BTC was made to compensate him for the allegedly stolen funds.

peonminer

hero member

Activity: 798

Merit: 531

Crypto is King.

Quote from: kenzawak on February 27, 2019, 05:39:53 AM

I saw that on reddit and didn't talk about it anywhere because as of now, it's just one guy making a claim.
I'm not saying it's false but I'd wait for more information about the whole thing.

Actually OP posted about more than one person having this happen to them and posting about it on reddit

Quote from: warith on February 27, 2019, 01:17:49 AM

Apparently I'm not the only one who got wiped out check these reddit posts:
https://www.reddit.com/r/COINOMI/comments/av8rp0/was_i_hacked_im_not_sure_what_i_did_wrong_help/
https://www.reddit.com/r/COINOMI/comments/av01oz/coinnomi_hacked/
https://www.reddit.com/r/CryptoCurrency/comments/9cja43/half_my_coins_are_missing_from_verge_electrum/

This proves my analysis but yet the company denies the responsibility.

What I did was I used one of my main wallets passphrase/seed (recovery seed) in Coinomi's wallet and that was my awful mistake! If it was the password that protect the private key (wallet.dat) then the attacker/criminal would not be able to do anything because he must obtain the private key in order to use the password and steal the wallet.

anks

sr. member

Activity: 572

Merit: 259

LSK, QTUM

everyone donate 1 dollar to get his funds back

65000 people

bdbabiak77

jr. member

Activity: 42

Merit: 1

I thought the Bitcoinist article about you said they gave you funds eventually and a 'bug-finding' bounty. Is that not true?

0t3p0t

sr. member

Activity: 1512

Merit: 351

★Bitvest.io★ Play Plinko or Invest!

Quote from: denzkilim on February 26, 2019, 09:38:59 PM

Thanks for the warning and awareness bro, and I feel sorry for your life savings that have been lost because of that wallet provider. Embarrassed

I already quit using that Coinomi wallet a long time ago because of their bad customer support that I experienced. Losing life savings that you worked hard for it whatever price it is, is no joke I do hope that you will recover from your losses and get more blessing in the future.

Quote from: warith on February 26, 2019, 07:49:55 PM

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!

This looks really alarming Shocked

Coinomi should take this kind of vulnerability seriously because the funds of their customers will be in great danger just like what happened to you.

I am a coinomi user ever since but had never experienced something like that though I only have smaller amount of funds compared to OP's compromised value of funds. This issue should be explained and solved immediately by coinomi for their user's safety. This is really alarming as all of our funds might be compromised in just a single passphrase as it supports a lot of coins and tokens but I stored my Bitcoins in Mycelium wallet only Altcoins are placed on my Coinomi wallet.

kumar jabodah

full member

Activity: 532

Merit: 106

Coinomi should quickly take action on this issue. This is a huge damage to their company and it may be a result of their customers moving to a more trusted wallet.

I understand your explanation and I'm sad that it happened to you.

Pursuer

legendary

Activity: 1638

Merit: 1163

Where is my ring of blades...

Quote from: eternalgloom on February 27, 2019, 01:29:27 PM

That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

regardless of how OP lost funds or whether he is telling the truth or Coinomi, in the end this has been a very irresponsible design on their side! they are sending the most secretive information of your wallet (which is your seed that is used to generate ALL your private keys) out to a third party server! there is absolutely no reason for a wallet to even have such options in it.
"spell check" should be done locally and versus the fixed 2048 words that the seed is chosen from.

eternalgloom

legendary

Activity: 1792

Merit: 1283

Quote from: fer_coinomi on February 27, 2019, 12:59:38 PM

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

I know LoyceV already mentioned it above, but I'd like to reiterate what he said:

Did you really have to use his full name? Pretty unethical behavior at your end IMO.
That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

Wouldn't the more likely scenario be that his own PC was already compromised?

Still doesn't make up for the vulnerability though.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: fer_coinomi on February 27, 2019, 12:59:38 PM

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Let me quote from the Official Statement:

Quote

After the dust settles we all need to remember the names of those who chose self-assertion over general public safety and acted irresponsibly.

Was it really necessary to mention warith's full name 8 times?
Coinomi calls him a "blackmailer", "irresponsible", and claims funds are "possibly still controlled by him". The entire Official Statement reads like damage control to me.

fer_coinomi

jr. member

Activity: 55

Merit: 10

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

South Park

hero member

Activity: 2884

Merit: 794

I am terrible at Fantasy Football!!!

Quote from: davis196 on February 27, 2019, 02:27:48 AM

I've never heard about this Coinomi wallet.Why didn't you just use one of the more popular and trusted crypto wallet services?Storing big amounts of coins into ONE wallet is always a big mistake...
This topic belongs to the Scam Acusasations forums,I think...

The OP was using that wallet because there were some assets that were unsupported by the exodus wallet and he wanted to store those assets and he decided to use the coinomi wallet, it could have been a good idea to use a hardware wallet but now it is too late for him, so let this be a reminder, software wallets are not really the place to store huge amounts of money, if you have even just a few thousands of dollars worth of cryptocurrencies then you need to invest in a hardware wallet.

bhadz

hero member

Activity: 2408

Merit: 564

Sorry for your losses OP, I've got some altcoins sitting on my coinomi wallet and I'm just letting it there which I rarely visit.

Quote from: maydna on February 27, 2019, 02:25:46 AM

My big question is why you use Coinomi to safe your asset worth $60K-$70K?

I have my life savings on crypto's too but I'm not storing it to a multi-wallet just like coinomi. I trust more ledger nano s than this kind of wallet. This is a very painful and expensive experience for OP, I hope you recover soon. I've decided to start moving those coins of mine.

Zerbis

member

Activity: 335

Merit: 15

Trading & Crypto

Someone should tell me if IPHONE app could have the same vulnerability?

Rando444

newbie

Activity: 10

Merit: 0

I am really sorry to hear this. I have been using Coinomi for quite some time now and the reason I did was because they said that your keys and passphrase are stored in your own mobile and not a server. I thought it was safe alll this time, but after reading your post I am having second thoughts. Again, I am really sorry for your loss Sad

Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 4. (Read 2041 times)