Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.
Cryptocurrency wallet caught sending user passwords to Google's spellchecker
[...] "To understand what's going on, I will explain it technically," Al Maawali said. "Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser."
Al Maawali says that just like any other Chromium-based app, it comes integrated with various Google-centered features, such as the automatic spellcheck feature for all user input text boxes.
The issue appears to be that the Coinomi team did not bother to disable this feature in their wallet's UI code, leading to a situation where all their users' passwords are leaking via HTTP during the setup process.
Coinomi's official statement
-- submitted from IRC
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 05 2019, @01:56AM (4 children)
Those transactions have a paper trail, can be verified, traced, cancelled. You can go to court to debate them.
Crypto is like cash; it would be like mailing cash via USPS and then being upset that the mail was stolen. Compared to that, our current banking network is perfectly safe. If a bank or its app is broken into, it's not you who pays, it's the bank.
When you handle crypto currency, you deal with a big distributed robot. It does not listen to complaints, its decisions are final. You lost the banking password? No problem, you can easily restore it. You lost the wallet password? Say goodbye to your money. You sent the BTC to a wrong address? Say goodbye to your money. The exchange owners ran away with the funds? Say goodbye to your money. There are just too many ways to be fleeced in the brave new crypto world. No need to venture there.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:02AM (2 children)
There is NO chargeback limit in the US for any bank transfer. I hope any tx you have a problem with are for more than a lawyer would cost you. The bank will take your money any chance they get.
Yes, it is totally transparent. No advantage to the rich and people who figured out the loopholes.
(Score: 2) by vux984 on Tuesday March 05 2019, @06:30AM (1 child)
I've gotten fees refunded plenty of times. I've had fraudulent credit card charges removed without hassle several times now.
I lost my physical wallet once in my life. I actually got it back. But the cash was missing.
"The bank will take your money any chance they get."
And even with that being the truth, you are far more likely to get it back when dealing with them than when dealing in cash or crypto. So if you think banks will rip you off without batting an eye, you should be running screaming from crypto operators.
(Score: 2, Informative) by Anonymous Coward on Tuesday March 05 2019, @07:16AM
Legally there is a major difference between a credit card and a debit card.
If someone makes false debit card charges they have stolen money from the card-holder, and the bank will either go "um, yeah, that was easy to get back, here's your money, minus fees" OR "sorry, can't get that back, too bad, here's some fees for trying".
If someone makes false credit-card charges, they have stolen from the bank. The bank will simply rip the money back out of the account they paid it into and say "Tough luck merchant, you got defrauded. Here's some fees to make up for our trouble."
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:06AM
If you are Warren Buffet, maybe. If you are a joe schmoe, good luck fighting banks and CRBs.