Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.
Cryptocurrency wallet caught sending user passwords to Google's spellchecker
[...] "To understand what's going on, I will explain it technically," Al Maawali said. "Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser."
Al Maawali says that just like any other Chromium-based app, it comes integrated with various Google-centered features, such as the automatic spellcheck feature for all user input text boxes.
The issue appears to be that the Coinomi team did not bother to disable this feature in their wallet's UI code, leading to a situation where all their users' passwords are leaking via HTTP during the setup process.
Coinomi's official statement
-- submitted from IRC
(Score: 5, Insightful) by hemocyanin on Tuesday March 05 2019, @01:52AM (1 child)
Makes me long for the days of yore when the internet didn't require javascript. Javascript libraries may help people write slick looking websites fast -- what I wouldn't give to visit a site full of blinking side scrolling text, secure in the knowledge that all the code came from that one single place. Instead, websites are now a collage of all the bad players out there looking to profile you.
(Score: 2, Insightful) by Anonymous Coward on Tuesday March 05 2019, @02:05AM
They aren't even slick, they are annoying. I just wanted to use google earth earlier and even that website has gone to shit. It took me like 4 clicks to download it. I am sure AB testing optimized for "time on site" or whatever.