When everyone starts slinging mud, no one comes up clean. Thanks to a disgruntled user and a frustrated vendor, the cryptocurrency world learned that lesson the hard way this week.
Cryptocurrency owner Warith Al Maawali was blaming wallet vendor Coinomi for the loss of $65,000 in bitcoins after discovering a bug in its software. Coinomi countered by blaming him for blackmail. And the whole sorry affair played out in public.
Like many cryptocurrency users, Al Maawali used a seed phrase. This is a 12-word passphrase that can be used to recover your addresses when entered into wallets that support the feature. They are known as hierarchical deterministic (HD) wallets.
On 14 February 2019, Al Maawali downloaded the Windows version of Coinomi, entering into it the 12-word passphrase that he had used for another of his wallets called Exodus. On 22 February 2019, he discovered that over 90% of his Exodus wallet assets had been transferred to other addresses. This included 17 bitcoin, which is worth almost $65,000 at current prices. Only the assets that Exodus and Coinomi had in common were stolen, he said.
He installed Fiddler, a program that monitors HTTP traffic across all applications on a host machine. It caught Coinomi downloading a dictionary word list. When he entered a test passphrase, he saw Coinomi send it to Google’s googleapis.com domain.
He also noticed that the form underlined any misspelled words in a passphrase in red, as per Google’s form-based spell check feature.
Al Maawali says that Coinomi uses an integrated version of Google’s Chromium open-source browser code to render its user interface:
So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check
Security researcher Luke Childs verified this in a video.
Al Maawali says that he did his best to get Coinomi to help him, before going public with the situation on a website dedicated to the issue. He published excerpts of his private discussion with Coinomi support, accusing the company of evading his requests for compensation.
In an official response, Coinomi admitted that the spell-check functionality was enabled for the desktop version of its software. It isn’t backing down, however. It argued that the seed phrase was encrypted during transmission. Google’s API requires an API key, which the software didn’t send. According to Coinomi, this means:
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google
But then it also said:
No one else except from Google could read the contents of the encrypted packets that contained the seed phrases
We have asked Google to confirm that bad requests’ text body isn’t stored on their servers, we will update our statement accordingly.
…which seems contradictory.
In any case, Coinomi left room for a mea culpa:
Given the facts above, it’s extremely unlikely that this issue would ever result in loss of funds, however under no circumstances a seed phrase should go online even if this is in encrypted mode and for this we sincerely apologize.
The company added that the issue stemmed from jxBrowser, a third-party cross-platform Java library that it uses to integrate Chromium into its software. The library had been enabling the Chromium spell check by default, and was only fixed on the day that Al Maawali contacted Coinomi, it said.
Coinomi reserved some choice words for Al Maawali, adding that he refused to submit to its know-your-client (KYC) policy or submit a bug report via encrypted channels:
Let the message be clear, we do not negotiate with blackmailers. Here is the full Helpdesk correspondance with… twitter.com/i/web/status/1…—
coinomi (@CoinomiWallet) February 27, 2019
The comments on this tweet include an ongoing and increasingly bitter exchange between Coinomi and Al Maawali. This public fighting doesn’t make anyone look good, and Coinomi has the most to lose at this point. When Coinomi tweeted its official statement, people tended to come down on Al Maawali’s side. An example:
Udi Wertheimer (@udiWertheimer) February 27, 2019
Coinomi has been embroiled in disclosure battles before. In 2017, Childs reportedly found it sending wallet addresses from its Android app in plaintext and made the details public after trying to get Coinomi to take notice.
So how did Al Maawali’s bitcoin go missing? There are some possible explanations, including an infection on the host machine, an ill-secured phrase or a compromise after the seed phrase made it out to the internet. We aren’t accusing anyone at Google of stealing anything, just to be clear.
Couldn’t an enterprising attacker simply brute-force a deterministic wallet with random numbers and stumble across Al Maawali’s unique combination? The key phrases are simple dictionary words after all.
Theoretically, perhaps. Practically, probably not. There are many word combinations, and the word order is also part of the code. In practice, you’d be running scripts till the end of time before you found a seed phrase linked to a wallet with money in it.
Unfortunately, that might well be how long Al Maawali will be waiting to get his coins back. The moral of the story? Don’t put $65,000 of crypto-assets in a hot wallet. Instead, put the bulk of it in cold storage – just so long as you figure out a way to securely give someone else the password after you die, so that you don’t take it with you to the grave.