Coinomi - Disclosure, Denial, and Destructive PR

Coinomi - Disclosure, Denial, and Destructive PR

TL;DR

Coinomi doesn’t use SSL for their communication from their Android app to their backend servers. When you open the app, all of your wallet’s addresses are sent in plain text across the internet. Luke Childs noticed and pointed out the glaring security/privacy issue politely via GitHub. Coinomi refused to admit it was a problem. Twitter, Reddit, and GitHub hilarity ensued.

Screenshots

Coinomi appear to be in disaster recovery mode and are deleting public comments. Don’t worry though, Luke and I expected this, so we took screenshots of everything and made snapshots of the GitHub issue on the Wayback Machine , so you can see what was deleted so far and if they delete anything in the future. This post used to have lots of screenshots in it but it killed my average page load time so I manually transcribed everything and put all of the screenshots here instead.

Disclosure Timelines

All times in GMT

  • 16 September 2017 @ 19:30: Luke posts the issue on Coinomi’s Android repo with the title “Use SSL for Electrum nodes” (later changed by Luke to include “Security Vulnerability: “.:
    • Great work on Coinomi! Looking at the source it would appear your app is powered by Electrum servers. Connecting to these servers shows they are unencrypted without SSL:
      $ telnet vtc-cce-1.coinomi.net 5028
      Trying 46.4.85.241…
      Connected to socrates.coinomi.net.
      Escape character is ‘^]’.
      { “id”: 0, “method”: “server.version” }
      {“jsonrpc”: “2.0”, “id”: 0, “result”: “ElectrumX 1.0.14”}
      Does this mean your Android app is making all Electrum requests in plain text?

  • 18 September 2017 @ 10:27: After not hearing anything for over 24 hours, Luke directly tags Coinomi’s CEO and CTO in the GitHub issue (this generally sends a notification, but that can be disabled):
    • @erasmospunk @GeorgeKimionis Are you able to comment on this? Coinomi looks great, but I’m reluctant to use it if this is the case.

  • 25 September 2017 @ 20:48: After still not hearing anything, Luke reaches out to Coinomi on Twitter.
    • Luke Childs: @CoinomiWallet Any comment on this? {link to GitHub issue}

  • 26 September @ 16:24: After waiting for 11 days with no response from Coinomi, Luke posted on Reddit to warn the general public that Coinomi is not using SSL to communicate from the Android application to their backend servers. That is, communication with the server is being sent in plain text.

  • 27 September @ 00:17: I post Luke’s Reddit thread on Twitter, again warning the general public that Coinomi wallets are insecure.

Coinomi Respond - Hilarity Ensues

  • Rather than admit they made a mistake, thank Luke, and fix the problem, Coinomi go on the offensive. My response to their handling of the issue started out like “wat”, moved to “they can’t be serious”, and settled at “this is insane - they’re committing PR suicide”. The following conversations were all posted publicly on Twitter:
  • Let’s start with the wat:
    • Me: @CoinomiWallet - Any comment? @lukechilds reached out a week ago and nothing. Also some open source license concerns. Wanna chat?
      Coinomi: We have hundreds of thousands of users reaching out to us, we are unable to respond to every single request right away, esp complex issues.

  • Then we move swiftly onto “they can’t be serious…”:
    • Coinomi: There isn’t ANY security concern regarding this issue, the title is misleading
      Luke: Security: noun. The state of being free from danger or threat.
      Your user’s addresses are being leaked. I see that as a violation of both.
      Coinomi: No user wallet has ever been hacked or otherwise compromised since 2014 when v1 came out and we have hundreds of thousands of active users
      Luke: The issue is address leakage. And all electrum communication being in plain text.
      Coinomi: The issue is that you spread FUD without even waiting for an answer by our team. And there’s no excuse for that.
      Luke: I waited for 11 days. All you had to do was respond and say you were working on a fix.
      Coinomi: Also apologizing wouldn’t hurt. Not to us but to all users that have now turned to inferior and insecure alternatives because of your FUD.
      Luke: Do these insecure alternatives also use plain text?
      Luke: Look, this discussion isn’t going anywhere. Maybe you should put less focus on blaming me for your fuck up and more focus on rolling out SSL.
      Coinomi: For our “fuck up”. What a sham. Really.

    • Separate chain:

    • Coinomi: Such overstatements don’t put pressure on us, they only make users abandon this great wallet because they believe this FUD. Keep it up.
      Luke: I created the issue under the gentle title of “Use SSL for Electrum nodes” over 11 days ago not to cause panic.
      Luke: I waited for 11 days of you ignoring me before I publicly released the full implications of my findings. You had plenty of time to setup SSL.
      Coinomi: The world doesn’t revolve around you, nor is this a personal issue, although you clearly made it one.
      Luke: I’m not quite sure what you mean. I have no personal issue with you. I actually really liked Coinomi, as I mentioned in my original GH cmnt

    • Separate chain
    • Luke: Instead of ignoring the issue lke you have for the last week. Or pretending it doesn’t exist like u are now I went public. Why not fix it?
      Luke: ElectrumX supports SSL out of the box for goodness sake. I’m starting to think you have an allergy to SSL certificates.

  • If you thought this was bad enough already, it gets worse. Coinomi say publicly that it’s not bad privacy to leak your wallet addresses:
    • Coinomi: That’s kinda hard. It’s not bad privacy, this particular issue can be improved but that’s all, it never posed any security threat whatsoever
      Luke: If broadcasting all of your addresses over the internet in plain text isn’t bad privacy then what is?

  • They try to distract from the issue by saying it’s not all of their wallets that have this issue… just 87+. To quote Luke, “They weren’t even saying the ETH wallets didn’t have the issue, just that they weren’t running on ElectrumX on the backend. It was just a snarky remark that had nothing to do with the issue whatsover.”:
    • Luke: Your backend servers are ElectrumX, they are open. And they don’t even need a fix, they support SSL already, you just need to enable it.
      Coinomi: So our $ETH back-end servers run on ElectrumX?
      Luke: No, just the 87 other coins you support listed here: {github link}
      Luke: well, probs more than that seeing as your GitHub source is like a year out of date

  • Then they went full retard. This is the “they’re committing PR suicide phase”. They implied that Luke is “hating” and that he is a “shill”. Luke is super entrenched in the OSS world, doing the majority of his work for free. He’s the least shilly person I know. Luke’s response is great:
    • Coinomi: If nobody hates you it’s probably because u aren’t doing anything great. Dear shills, thanks for giving us the strength to keep on rocking!
      Luke: I don’t hate you, I just want you to use SSL

  • And soon enough the public caught on to what Coinomi was doing after I posted a screenshot of the initial disclosure on Twitter. I originally had 35 comments from the general public on Reddit/Twitter shown in 14 screenshots, but the images killed this page’s load time. You can still view the reactions in the screenshots directory here.
  • At some point along the way, I realised that Coinomi are based out of the UK, and had flashbacks to my data breach training at corporations whilst working there. I’m not 100% on this (I Am Not A Lawyer - IANAL), but I’m pretty sure in the UK that you have 24 hours from realising there’s been a security breach to report it to the UK’s ICO (Information Commissioner’s Office). Again, IANAL, but I think they might have refused to acknowledge this as a security concern for liability reasons. What adds evidence to this is that both myself and Luke were quite prompty blocked after this tweet:
    • Me: I believe this is what the UK refers to as a data breach, and you’re deliberately avoiding acknowledging it for liability reasons?

There are more hilarious comments from both sides, but I’ll leave it at that because it provides more than enough context/background to continue. Let’s move on to why all of this matters from 3 perspectives: security/privacy, legal, and general corporate behaviour/image.

Security and Privacy Concerns

Cryptocurrency users have the right to keep their public addresses private. Due to the lack of SSL, all of your Coinomi wallet addresses are broadcast in plain text whenever you so much as open Coinomi on your phone. You can get around this by using a VPN, but you shouldn’t have to in the first place - the functionality needed to keep things private and secure is already integrated into the open source software that Coinomi is using on their backend servers. They literally just need to create a certificate and wire up the config settings. That they haven’t just done that is shocking! Any competent sysadmin/devops could have this resolved in under an hour. Again, the time and cost to fix this is infinitesimally small. As you can clearly see from the screenshots above, the people have spoken on this one - whether Coinomi want to admit it or not, this is a huge privacy and security concern for their users.

Legal Concerns

Disclaimer: I am not a lawyer. This is just my interpretation of things. Happy to edit if anything is wrong/misleading:

In the UK, when data has been leaked and it’s your company’s fault, you have to report it to the ICO (Information Commissioner’s Office). You generally have about 24 hours to report from the moment you realize that a “data breach” occurred. If Coinomi refuses to acknowledge the leak, they might be able to skirt around this law. Publicly admitting that data has been leaked would be quite a liability for them. I think this could be the reason that they acted so strangely about everything. Data protection laws in the UK are quite strict, and if you run afoul of them you end up in a whole heap of legal issues. Again, I’m not a lawyer, but I can’t think of anything else to explain their bizarre reaction to their community trying to make their platform more secure.

It’s worth noting that the ICO states SSL configuration issues are frequent in their data breach investigations. It is listed as one of the eight important areas of computer security that commonly arise during investigations.

Corporate Behaviour Concerns

The Tweets speak for themselves. This is not how a responsible corporation deals with a security concern or treats their users generally. The Tweets they came out with came across to me and many others as extremely childish, which is not the attitude I want in a company that creates software that literally holds my money. Coinomi really need to clean up how they do deal with the public. The people that do it for them now are clearly not well trained enough for the job. They also have no way that I know of to report security vulnerabilities, which is a bit concerning considering the type of software they make.

As of writing (29 September 2017), Coinomi still haven’t admitted that this is a problem and have provided no ETA regarding when it will be fixed.

Open Source Concerns

Coinomi market themselves as an open-source wallet, but they are clearly not. The title of their site literally says Coinomi is an open-source wallet, but their Android source code hasn’t been updated in months (although newer versions of the app have been released on the Google Play Store). UPDATE: A week or two after this article was originally posted, Coinomi removed the open source claims from their marketing.

Even more worrying is their attitude towards OSS as a whole, as this quote from their CEO on GitHub shows (no emphasis added):

George Kimionis: We do what we have to do to protect our users and our brand. Coinomi is a free wallet and its source code is open for everyone to review, but if you’re asking us to allow just about anyone to create malicious clones of our wallet and steal users’ funds and give up all rights to go after these scammers and their works then no, it’s not going to happen. On top of that, I would strongly recommend you to be very careful when making unsubstantiated accusations in public such as that Coinomi Wallet “is no longer free” and that it wwas governed by a “fishy” license, as these could imply direct defamation of our firm.

This is not how open source works, and the ratio of thumbs down to thumbs up shows that nobody was buying it (8x more thumbs down). Coinomi also use open-source software to support their platform, and they may be running afoul of these products’ licenses. I’ve not had time to properly dig into this, as the main issue I have is with Coinomi’s handling of the SSL incident, but perhaps an open-source buff can take over the investigation on this front and see what else Coinomi have managed to make a mess out of? If you uncover anything and don’t have the time to write about it, feel free to pass the information over and I’ll make sure you get full credit for everything I publish about it (or not if you want to remain anonymous).

A Personal Note About Luke

Luke is one of the biggest OSS buffs I know. Just check out his GitHub, it speaks for itself. For example here’s his PR to add RFC-compliant caching to an OSS project that gets 8 million downloads per month. These are not small, insignificant things he’s doing. He genuinely cares about OSS projects, and often fixes issues in projects himself, but in this instance he couldn’t because Coinomi’s code isn’t open source. He cares not only about the code he writes, but also the community that uses that code as a whole. That is why he responsibly reported this issue to Coinomi, and is also why we later pushed the issue after getting no response. There has to be people like Luke out there checking that things are actually done securely and follow best practices. Luke should be thanked for that by Coinomi and the community as a whole. We need more people like Luke. He spends the vast majority of his time working for free. He didn’t ask for me to put this in here, but I think we should all show him our support in order to encourage this behaviour in others and to thank him for bringing this to our attention. Here’s one of his public Bitcoin addresses: 1FT2kF87rWxn2mvQViW14BvuXFb1MSyRAR. When I asked him for it, he literally said, “oh… I didn’t even think of that.” That’s who Luke is.

Although the majority of Luke’s time is spent on open-source projects, he does occasionally do freelance work so he can buy food and pay his rent. If you’re interested, you can contact him here for work requests: lukechilds123 {at} gmail com.

Contact Me / Follow Luke

Luke uncovered this and did all the real work, so let’s put him first. If you like what he did and want to show your support, feel free to follow him on Twitter.

Like the post? Follow me on Twitter to hear about when I post more stuff. Do you disagree with any of my sentiments? I’m always willing to listen to counterarguments. Feel free to either Tweet me publicly or DM me privately.


Jonathan Sterling

Written by

In March 2017, I quit my job as a software engineer and began travelling around the world. This unmonetized, open-source blog exists to document my journey, share my thoughts, and let my friends and family know that I'm not dead.

Updated