Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday March 05 2019, @12:30AM   Printer-friendly
from the we-need-a-new-category-for-these dept.

Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.

Cryptocurrency wallet caught sending user passwords to Google's spellchecker

[...] "To understand what's going on, I will explain it technically," Al Maawali said. "Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser."

Al Maawali says that just like any other Chromium-based app, it comes integrated with various Google-centered features, such as the automatic spellcheck feature for all user input text boxes.

The issue appears to be that the Coinomi team did not bother to disable this feature in their wallet's UI code, leading to a situation where all their users' passwords are leaking via HTTP during the setup process.

Coinomi's official statement

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:52AM

    by Anonymous Coward on Tuesday March 05 2019, @03:52AM (#810127)

    They needed a little box for the user to type a password in. To implement this they decided to throw an entire web browser at it. Classic.