No, Google didn’t steal Warith Al Maawali’s coins. In its Medium blog post, Coinomi denied his allegations, questioning the fact that a single spell check made Maawali lose all his life savings. Maawali, who immediately wanted the company to return him his supposedly lost funds, never proved the authenticity of his claims.
Google didn’t steal anything
In his Reddit post, Maawali implies that Google employees could be behind the hack. His seed phrase was remotely sent to the company’s servers after a spell check request. However, according to Coinomi, the passphrase was sent in the form of an encrypted HTTPS request, which wasn’t processed, cached or stored. Indeed, only Google had the opportunity to read the seed phrase, but the badly formed requests were rejected.
The report is put into question
The vulnerability was fixed by the jxBrowser plug-in team on Feb. 21 when the Coinomi team was contacted by Maawali. After the alleged ‘hack’, Maawali immediately demanded his 17 BTC back while threatening to make things public, which he eventually did on Feb. 26. Given that there is no way to prove the authenticity of Maawali’s claims, he might have never lost his assets in the first place.
Coinomi emphasizes that their users are safe, but encourages everyone to update their desktop client to the latest version. They also remind users that their desktop wallet has never been hacked.