Crypto Wallet Coinomi sending seed phrases in plain text to Google


#1

Thought I would highlight this security breach in Coinami’s wallet as I remember some users asking us about holding SATURN tokens in their Coinami wallet, so it is likely some of our community uses this software. Thanks for the share in our telegram chat @tolgn1907!

From reading the article it looks like if you ever used your Coinami seed phrase to recover your wallet, then your funds are at risk. The issue has come about due to Google’s spellchecker API being left active on the recovery phrase box, so if it detected any words being misspelled (underlined in red) then that means the recovery phrase has been sent to their servers.

been sending users’ seed phrases in plain text to third-party servers.

And it was not encrypted at all, so this means anyone who was monitoring the HTTP / HTTPS traffic or anyone at Google could potentially steal funds from Coinami users.

So I would recommend anyone using Coinami to move their funds immediately to a wallet created in a different application, for your Ethereum or Ethereum Classic funds you could take this as a signal to set up Saturn Wallet. :wink:

I know many people used this App due to it being a multi-chain wallet and how easy it is to use on their phone, but better to play it safe and move your funds for now. If anyone has an alternative App to suggest, go ahead!