Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.
Cryptocurrency wallet caught sending user passwords to Google's spellchecker
[...] "To understand what's going on, I will explain it technically," Al Maawali said. "Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser."
Al Maawali says that just like any other Chromium-based app, it comes integrated with various Google-centered features, such as the automatic spellcheck feature for all user input text boxes.
The issue appears to be that the Coinomi team did not bother to disable this feature in their wallet's UI code, leading to a situation where all their users' passwords are leaking via HTTP during the setup process.
Coinomi's official statement
-- submitted from IRC
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday March 05 2019, @01:34AM (2 children)
And this is why you do not hire kids right out of college to program anything important without experienced supervision. They will fuck up badly on crucial bits because they just do not know any better yet.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @05:50PM (1 child)
Rather, this is why you do not use a full-featured webbrowser to manage locally-private data.
(Score: 2) by The Mighty Buzzard on Wednesday March 06 2019, @12:37PM
Also not a bad advice, yes.
My rights don't end where your fear begins.