Vulnerability in Coinomi, Devs Retaliate
Update: the issue has been resolved as SSL has been implemented. Hopefully, anyone worrying about their addresses leaking can return to Coinomi (perhaps transfer out any coins, then create a new wallet, and transfer back in). We hope Coinomi a good future as long as they keep professional.
We put Coinomi to the test and found that connections to the back-end servers are secured with SSL.— coinomi (@CoinomiWallet) October 4, 2017
- Coinomi, a wallet for many cryptocurrencies (including Bitcoin), has had a vulnerability discovered within it.
- They have responded harshly to the person(s) attempting to help and improve their service.
On 16 September, Luke Childs had went to Coinomi’s Github to alert them of an issue where Coinomi was connecting to ElectrumX servers in plain text (i.e. without SSL encryption). Over a week later, still no response, so Childs heads on over to twitter in hope for a response.
The following day, Childs alert redditors of the vulnerability in the r/Bitcoin subreddit:
This alerted multiple more people, and someone tweeted about it and got a generic response. Firstly, Coinomi had responded saying that they receive many requests every day so it was difficult for them to respond to all of them, especially the complex ones.
Coinomi finally respond to the vulnerability stating, “There isn’t ANY security concern regarding this issue, the title is misleading”.
There isn't ANY security concern regarding this issue, the title is misleading— coinomi (@CoinomiWallet) September 27, 2017
Following this, Childs further clarifies how it is a security issue but is only met with Coinomi saying that it is FUD (Fear, Uncertainty, Doubt) that will make users abandon its wallet:
Security: noun. The state of being free from danger or threat.— Luke Childs (@lukechilds) September 27, 2017
Your user's addresses are being leaked. I see that as a violation of both.
I created the issue under the gentle title "Use SSL for Electrum nodes" over 11 days ago to not cause panic.— Luke Childs (@lukechilds) September 27, 2017
Following, this Childs explains that he had created an issue on Github to ensure there is no panic.
It is common to see vulnerabilities found, and to give the company time to resolve the issue before going public with it. For example, Google’s Threat Analysis gives companies 10 days before releasing the issue to the public. However, even though Childs acted similarly – Coinomi further attacks him and says he is spreading FUD.
And you ought to have waited for it to get answered, just like everyone else; instead you went on reddit, twitter, everywhere and spread FUD— coinomi (@CoinomiWallet) September 27, 2017
Especially as ElectrumX servers (used by 87+ coins) support SSL by default, it should have been a quick and easy fix to implement an SSL certificate within those 11 days. Instead they implied Childs, was a shill and a hater with a tweet occuring at the same time of the incident – but Childs responses saying:
I don’t hate you, I just want you to use SSL
For further proof that Childs doesn’t hate Coinomi:
I'm not quite sure what you mean, I have no personal issue with you. I actually really liked Coinomi, as I mentioned in my original GH cmnt— Luke Childs (@lukechilds) September 27, 2017
As someone that “really likes” Coinomi, it is very obvious he just wanted to see it be bettered and made more secure via the use of SSL, not create FUD / hate / shill. Luke Childs hadn’t told anyone to use a different wallet nor did he say not to use Coinomi, so it seems as if they are personally attacking Childs.
What does this mean for Coinomi Users?
This meant that your addresses in the Coinomi wallet would be broadcasted over the network. While this certainly doesn’t mean your wallet could get hacked as your private keys aren’t sent over the network, it causes the potential of a replay attack:
Although, it is unlikely for someone on your network to carry out this attack – it is a possibility, especially on public networks (i.e. Cafes, Hotels etc).
While they haven’t recognised it as a security or privacy issue, they have stated “It’s an enhancement that was scheduled to go live soon anyway”
That's not a vulnerability, though. It's an enhancement that was scheduled to go live soon anyway.OP spread FUD on purpose to gain attention— coinomi (@CoinomiWallet) September 28, 2017
So for now, users should exercise caution when using Coinomi, until they implement SSL when it would be even more secure. Coinomi boasts hundreds of thousands active users, without a single one being hacked – it is still a good option as a wallet (particularly for multi coin use). Just be cautious of sending when in unknown networks until the SSL encryption is implemented.
Let me know what you think in the comments below.
Is Coinomi in the right? Are you boycotting Coinomi over there unprofessionalism? What wallet(s) do you recommend using?