Categories: Altcoins

Official Statement on Spell Check findings

Click here to view original web page at medium.com

Official Statement on Spell Check findings

Angelos

Feb 27

The Timeline of Events

On 22 Feb 2019 we were contacted by Warith Al Maawali via our Support Helpdesk regarding a security vulnerability in our Desktop wallets. We immediately flagged this request as High Priority and we started investigating this issue. The report said that seed phrases were being sent over to Google in plain text due to a built-in spell-check functionality in Desktop wallets and that there was a wallet hacked due to this vulnerability.

Our engineers confirmed that spell-check functionality was indeed enabled for the Desktop wallets only — the mobile apps were not affected by this.

However, unlike what was reported:

  • The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient
  • The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets
  • The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google²

Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only. That plugin enabled the spell-check functionality³ by default in a recent update and was fixed by the jxBrowser plug-in team just 6 days ago — which is the same day we were contacted by Warith Al Maawali. All Desktop versions were patched immediately after we received the full disclosure, and we then started further exploring the implications by this issue in order to provide our users with the proper guidance and inform them on the course of action that needed to be taken, if any.

During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatening to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him and couldn’t have been hacked because of Coinomi for a series of reasons:

  • Coinomi Team never had access to these seed phrases or funds
  • No one else except from Google could read the contents of the encrypted packets that contained the seed phrases
  • Google rejected these requests initiated by jxBrowser/Chromium as they were badly formed (didn’t contain a valid Google API key) and never actually processed them

What to do next

If you have been using Coinomi for Android or iOS there is no further action needed on your side; mobile versions were not affected by this.

If you are using Coinomi Desktops and you created a new wallet with your Desktop, again there’s no further action required other than updating your client to the latest (patched) version.

If you are using Coinomi Desktops and you restored an existing wallet into your Desktop wallet we recommend that you create a new wallet and move your funds there after you update your client to the latest (patched) version.

Given the facts above, it’s extremely unlikely that this issue would ever result in loss of funds, however under no circumstances a seed phrase should go online even if this is in encrypted mode and for this we sincerely apologize. Our Support is at your disposal on a 24/7 basis to guide you throughout the process if at any point you need a helping hand.

Conclusion

We have been successfully securing your blockchain assets since 2014 and this isn’t going to change now. We take security very seriously; we hire professional auditors and security experts to review our code and processes, and as a matter of fact these past few weeks we have been attending the details of an audit by KeyLabs.

We’ve had zero reports of hacked Desktop wallets so far other than Warith Al Maawali’s, which however cannot be sustained by the underlying facts — there is still way to investigate the authenticity of his claim and if the funds were indeed stolen it was much more likely due to an infected host rather than Google itself stealing these funds. If the claim is proven to be false we will seek remedies to set things straight and to prevent their reoccurrence.

Just like today, back in 2017 Luke Childs and Jonathan Sterling acted totally irresponsibly by disclosing their findings in public before making sure that we are aware of them (they never opened a ticket with our Support, the only formal way of contacting us back then). This could have set Coinomi users’ funds at risk if their security claims were true. Following the same paradigm, Warith Al Maawali acted equally irresponsible by disclosing this in public before allowing us to sit with Google and make sure that in the unlikely scenario that some seed phrases were captured by Google servers they would be wiped out immediately. Now it’s out of our hands thanks to Warith Al Maawali and Luke Childs who vigorously reproduced the news via their personal accounts. After the dust settles we all need to remember the names of those who chose self-assertion over general public safety and acted irresponsibly.

Going forward it should be noted that we are not negotiating with blackmailers and that we are totally open and transparent with the crypto community which we have been serving day and night for the past 5 years. Security vulnerabilities exist in all kinds of software and it is very important that when disclosed they are disclosed properly. If you are a security researcher and come up with a vulnerability that could affect other users too you must take into account how disclosing this info in public will affect those users, especially in financial applications that deal with people’s money. In other words, don’t be like the researchers mentioned above; be responsible. And just so that we don’t give the wrong impression here, we would like to thank Warith Al Maawali for disclosing his findings with us, Coinomi Desktops are more secure now more than ever thanks to him.

To sum things up: was there an issue with our Desktop wallets? Yes, there was, and it was fixed hours only after it was disclosed to us. Could this issue have resulted in loss of funds?

Practically, no, it couldn't have.

Update #1: You can now read the full Helpdesk correspondence between Warith Al Maawali and our Agents by clicking here.

Update #2: It should be noted that to date Warith Al Maawali has denied all identity verification requests, which is shady to say the least.

¹ Google API HTTPS Response:

² We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly.

³ By default, spell checker is enabled and configured to use English (en-US) language. Chromium engine checks text in all text fields and text areas on the loaded web page and highlights all misspelled words. Chromium supports both custom dictionary and dictionaries for different languages. It downloads the required dictionary locally for the current language automatically. You can also add words to your custom dictionary which is stored in Chromium user’s profile directory. When a text field or text area on the loaded web page receives focus, Chromium’s spell checker functionality automatically checks the text and highlights misspelled words.

Angelos

Feb 27 The Timeline of Events On 22 Feb 2019 we were contacted by Warith Al Maawali via our Support Helpdesk […]

cinerama

Illuminati, Mason, Anonymous I'll never tell. I can tell you this, global power is shifting and those who have the new intelligence are working to acquire this new force. You matter naught except to yourself, therefore prepare for the least expected and make your place in the new world order.

Disqus Comments Loading...
Share
Published by
cinerama

Recent Posts

Bitcoin Is Up Against An Extremely Important And Powerful Resistance Zone On The Monthly Chart: The Kijun-Sen (Base Line)

We can identify the price action causes of why price is finding it difficult to move higher by analyzing longer… Read More

42 mins ago

BTC ATM goes missing and no one notices

When you think of thieves stealing an ATM, the mind jumps to the idea of an exciting crime. Maybe there’s… Read More

42 mins ago

Major Swedish Bank Orders Negative Interest Rate on Euro Deposits

Sub-zero interest rates have become the norm in some countries, especially in Europe. Nordic nations such as Sweden and Denmark… Read More

42 mins ago

Researchers Concur Current Bitcoin Market Cycle is Only Just Beginning

Bitcoin price cycles can be influenced by a number of factors, FOMO and public sentiment is one, and mining profitability… Read More

42 mins ago

Hopes for Bitcoin as China’s Renminbi Drops to 11-Year Low

A recent plunge in the bitcoin price is looking to negate some of its losses as China’s currency weakens to… Read More

42 mins ago

Why Bitcoin Rules in the ‘Insane’ World of Negative Interest Rates

Central banks around the world are on a negative rate binge to further a compelling case for bitcoin.. | Source:… Read More

43 mins ago

This website uses cookies. We use these cookies to collect data about your interaction with our website for the purpose of continuously improving your experience with our site. For more information we encourage you to read our privacy policy.

Read More