Coinomi, a cryptocurrency wallet provider, was using Google’s spellchecker API to check user passwords in plaintext form.
This is a bad practice in terms of cybersecurity as it opens up user’s sensitive personal data to man-in-the-middle attacks during which attackers can get their hands on user logins. This data can be used to empty user’s bank accounts or worse.
The issue was discovered by Warith Al Maawali who came across it as he noticed his bank account being 90% emptier than expected.
As it turns out, Coinomi was doing this without the knowledge of its users. Since their platform is built as a Chrome app, it comes with all sorts of Google-centred features, including the spellchecker mentioned above. Apparently, Coinomi’s developer team did not bother to disable it.
If hackers were to take advantage of this and intercept a user’s passphrase, they’d be granted the necessary access privileges via the restore wallet function.
Although Warith Al Maawali can’t directly prove this is how the hackers emptied his bank account, he is unaware of any other hole in his cybersecurity strategy through which this could have happened. He even went as far as opening a dedicated website where he displays the whole ordeal in great detail. By visiting, you can see video footage of how it all unfolds.
Allegedly, he lost between $60,000 and $70,000 worth of cryptocurrency. At this time, Coinomi has not issued a formal response to the matter.