Bitcoin software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi wallet apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking.
How Do You Spell ‘Cleaned Out’?
The bug came to light after a user noticed $60k-70k of cryptocurrency had disappeared after installing the wallet. The user had entered the passphrase for another wallet into the restore field, to move some unsupported assets. A week later 90% of his main wallet funds were missing, comprising purely the Coinami-supported assets.
Some further investigation, using software to monitor http traffic from running applications, revealed the bombshell. When entering a passphrase in the ‘Restore…