Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.
Cryptocurrency wallet caught sending user passwords to Google's spellchecker
[...] "To understand what's going on, I will explain it technically," Al Maawali said. "Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google's open-source project) based browser."
Al Maawali says that just like any other Chromium-based app, it comes integrated with various Google-centered features, such as the automatic spellcheck feature for all user input text boxes.
The issue appears to be that the Coinomi team did not bother to disable this feature in their wallet's UI code, leading to a situation where all their users' passwords are leaking via HTTP during the setup process.
Coinomi's official statement
-- submitted from IRC
(Score: 1, Funny) by Anonymous Coward on Tuesday March 05 2019, @01:10AM (1 child)
There is nothing more secure than Javascript, unless it is Javascript coded by a Muslim.
(Score: 2) by RS3 on Tuesday March 05 2019, @01:39AM
It's not the way-overused javascript; rather it's the browser interpreting the script and doing the code's evil bidding. Idiots design in browser features without thinking about ramifications.
(Score: 2) by MichaelDavidCrawford on Tuesday March 05 2019, @01:19AM
You say that like it’s a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday March 05 2019, @01:34AM (2 children)
And this is why you do not hire kids right out of college to program anything important without experienced supervision. They will fuck up badly on crucial bits because they just do not know any better yet.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @05:50PM (1 child)
Rather, this is why you do not use a full-featured webbrowser to manage locally-private data.
(Score: 2) by The Mighty Buzzard on Wednesday March 06 2019, @12:37PM
Also not a bad advice, yes.
My rights don't end where your fear begins.
(Score: 2, Insightful) by Anonymous Coward on Tuesday March 05 2019, @01:36AM (7 children)
There is no security in web apps, but most of us do banking and other financial transactions, even the taxes, over the web.
Yeah, baby, we live dangerously.
(Score: 2) by hemocyanin on Tuesday March 05 2019, @01:46AM (1 child)
I have purposely not jumped through the hoops my bank requires to enable internet management of my checking account. I even chose to not take the debit card I could get for it. I like the internet. I use it all the time. I just don't trust it at all.
(Score: 4, Informative) by The Mighty Buzzard on Tuesday March 05 2019, @04:36AM
Smart man. I've been writing billing software since the 90s and will never, ever, under any circumstances, I really mean it, put anything but an anonymous, prepaid card across the Internet. I know exactly how hard it is to get precisely right and I have a good idea how many truly shitty programmers there are out there.
My rights don't end where your fear begins.
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 05 2019, @01:56AM (4 children)
Those transactions have a paper trail, can be verified, traced, cancelled. You can go to court to debate them.
Crypto is like cash; it would be like mailing cash via USPS and then being upset that the mail was stolen. Compared to that, our current banking network is perfectly safe. If a bank or its app is broken into, it's not you who pays, it's the bank.
When you handle crypto currency, you deal with a big distributed robot. It does not listen to complaints, its decisions are final. You lost the banking password? No problem, you can easily restore it. You lost the wallet password? Say goodbye to your money. You sent the BTC to a wrong address? Say goodbye to your money. The exchange owners ran away with the funds? Say goodbye to your money. There are just too many ways to be fleeced in the brave new crypto world. No need to venture there.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:02AM (2 children)
There is NO chargeback limit in the US for any bank transfer. I hope any tx you have a problem with are for more than a lawyer would cost you. The bank will take your money any chance they get.
Yes, it is totally transparent. No advantage to the rich and people who figured out the loopholes.
(Score: 2) by vux984 on Tuesday March 05 2019, @06:30AM (1 child)
I've gotten fees refunded plenty of times. I've had fraudulent credit card charges removed without hassle several times now.
I lost my physical wallet once in my life. I actually got it back. But the cash was missing.
"The bank will take your money any chance they get."
And even with that being the truth, you are far more likely to get it back when dealing with them than when dealing in cash or crypto. So if you think banks will rip you off without batting an eye, you should be running screaming from crypto operators.
(Score: 2, Informative) by Anonymous Coward on Tuesday March 05 2019, @07:16AM
Legally there is a major difference between a credit card and a debit card.
If someone makes false debit card charges they have stolen money from the card-holder, and the bank will either go "um, yeah, that was easy to get back, here's your money, minus fees" OR "sorry, can't get that back, too bad, here's some fees for trying".
If someone makes false credit-card charges, they have stolen from the bank. The bank will simply rip the money back out of the account they paid it into and say "Tough luck merchant, you got defrauded. Here's some fees to make up for our trouble."
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:06AM
If you are Warren Buffet, maybe. If you are a joe schmoe, good luck fighting banks and CRBs.
(Score: 5, Funny) by SomeGuy on Tuesday March 05 2019, @01:43AM (1 child)
Spimple soluituion is to not use sprell checkiewrs!
(Score: 2) by DannyB on Tuesday March 05 2019, @02:07AM
Better solution, send the passwords to a grammar checker instead of spell checker.
Why is it so difficult to break a heroine addiction?
(Score: 5, Insightful) by hemocyanin on Tuesday March 05 2019, @01:52AM (1 child)
Makes me long for the days of yore when the internet didn't require javascript. Javascript libraries may help people write slick looking websites fast -- what I wouldn't give to visit a site full of blinking side scrolling text, secure in the knowledge that all the code came from that one single place. Instead, websites are now a collage of all the bad players out there looking to profile you.
(Score: 2, Insightful) by Anonymous Coward on Tuesday March 05 2019, @02:05AM
They aren't even slick, they are annoying. I just wanted to use google earth earlier and even that website has gone to shit. It took me like 4 clicks to download it. I am sure AB testing optimized for "time on site" or whatever.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:23AM (1 child)
wtf they use Java but feel the need to bundle a browser with the jvm. Swing can be made to look good and feel more responsive than a js ui in a browser, Those dudes are first class app maker....
(Score: 2) by Nerdfest on Tuesday March 05 2019, @02:53AM
It's a lot more work doing a UI in Swing.
(Score: 4, Insightful) by datapharmer on Tuesday March 05 2019, @02:55AM (8 children)
What I don’t get is why is a Google project using http for this? These are the same people that insist on marking every website on the internet “not secure” and lowering its search rank because it doesn’t use ssl (even when there is nothing confidential and nothing to login to and ssl just uses resources needlessly) and they are sending full keylogged data over http? Really?
(Score: 5, Insightful) by SomeGuy on Tuesday March 05 2019, @03:21AM (6 children)
Am I the only one who is bothered by them sending test BACK TO GOOGLE AT ALL? Never mind the HTTPS shit, this data has no business leaving your PC or mobile toy AT ALL! Spell checkers have been a solved problem for a long time. New words? Sure, update ocasionally, but don't send everything I type back to big brother Google.
(Score: 3, Insightful) by SomeGuy on Tuesday March 05 2019, @03:32AM
Arag. Text, not test. But that reminds me, grammar checkers are also a solved problem that don't require transmitting every keystroke. Obviously, my thing-a-majig needs one.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:45AM (1 child)
(Score: 2) by Nuke on Tuesday March 05 2019, @10:01AM
Someone suggested that it was to check that it is not an English word, and if it was it would warn that it is a weak password. In other words, a pass would be a failure.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday March 05 2019, @04:40AM
Some idiot who didn't know what he was doing undoubtedly used the same boilerplate for every text entry area.
My rights don't end where your fear begins.
(Score: 3, Informative) by acid andy on Tuesday March 05 2019, @04:43PM
It's beyond awful. A spelling dictionary with every word in modern use in the English language is only going to be a few megabytes at most. There are nothing but downsides to the user to have it phoning home to look those words up. I hate what's happened to technology in this regard.
error count exceeds 100; stopping compilation
(Score: 2) by acid andy on Tuesday March 05 2019, @04:47PM
Even speech recognition ought to be done locally. We have the CPU speed and storage now. This is why spybots like Alexa and Siri leave me seriously underwhelmed (not to mention horrified).
error count exceeds 100; stopping compilation
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @06:39AM
Nothing? I hope you like 0-day exploits and MitMs in general your ISP can provide you free of charge armed with a gag order.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:52AM
They needed a little box for the user to type a password in. To implement this they decided to throw an entire web browser at it. Classic.
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @07:06AM
Forget blockchains and cowbells!
(Score: 0) by Anonymous Coward on Tuesday March 05 2019, @01:19PM
Google is building a massive honeypot. Its purpose is not to trap hackers, but to collect "accidental" information leaks. Thanks though for the incredibly nice 8.8.8.8 DNS server Google. I'm sure you're not going to collect any data with that service.
(Score: 3, Insightful) by AssCork on Tuesday March 05 2019, @06:51PM
So when someone asks me what I have against other Developers, I can show them this.
Because this travesty is worse than the worst war-crime.
Not because it involves cryptocurrency.
Not because it involves passwords-in-the-clear.
But because it made it to version 1.13 before this bug was found!
Just popped-out of a tight spot. Came out mostly clean, too.