| Title | COINOMI LTD Coinomi <=1.7.6 Cleartext Transmission of Sensitive Information (information dis |
|---|
| Description | The Coinomi Android wallet communicated with its Electrum‑compatible backend over unencrypted TCP, causing the app to transmit wallet activity including the user’s full set of Bitcoin addresses in plaintext on app launch. An on‑path attacker (e.g., public Wi‑Fi, ISP, compromised router) could passively deanonymize the wallet, track balances and transactions by address, and correlate user activity. It will also transmit signed transactions unencrypted so sophisticated MITM replay attacks are possible resulting in loss of funds.
Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Justification:
AV:N – network.
AC:L with AT:P (Attack Requirements: Present) – on‑path position is modeled as a present precondition in v4.0.
PR:N, UI:N – as above.
VC:H – high confidentiality impact to the vulnerable system (full wallet address set exposed);
VI:N, VA:N – no demonstrated integrity/availability impact; no subsequent system impacts. |
|---|
| Source | ⚠️ https://web.archive.org/web/20171013065745/https://github.com/Coinomi/coinomi-android/issues/213 |
|---|
| User | lukechilds (UID 88472) |
|---|
| Submission | 09/13/2025 17:32 (7 months ago) |
|---|
| Moderation | 09/21/2025 11:08 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325143 [Coinomi up to 1.7.6 cleartext transmission] |
|---|
| Points | 20 |
|---|