Bitcoin software (and hardware) wallets are open to a bewildering array of attack vectors, because… well, money. Hackers will always be trying to exploit vulnerabilities or find back-doors. But Coinomi wallet apparently made things a bit too easy, by sending a plain-text seed to Google API for spellchecking.


How Do You Spell ‘Cleaned Out’?

The bug came to light after a user noticed $60k-70k of cryptocurrency had disappeared after installing the wallet. The user had entered the passphrase for another wallet into the restore field, to move some unsupported assets. A week later 90% of his main wallet funds were missing, comprising purely the Coinami-supported assets.

Some further investigation, using software to monitor http traffic from running applications, revealed the bombshell. When entering a passphrase in the ‘Restore…

Click to continue reading on its source location…

Source: https://thebitcoinnews.com/coinomi-wallet-transmits-plain-text-seed-phrasefor-spellchecking/