Editor’s Note: Coinbase has defended themselves here.
Coinbase is all over Reddit today. Several people reported receiving e-mails from the Bitcoin enterprise, asking them to make a payment to another user. On top of that, a list was released containing information of many Coinbase users. At first, most people thought this was an April fools joke, but eventually, most became worried Coinbase was hacked. With recent events in mind, who could blame them? While the true reason is not that drastic, there still is a security issue.
Unlimited money requests
The problem first came to light at the end of February. A user called Shubham Shah came across a bug in the Coinbase system.
“I often come across security issues that have been introduced “by design” and in many cases, developers of web applications refuse to fix these design flaws.”
The issue at hand here is an option for Coinbase users to send unlimited money requests to each other. When making such a request, users can determine whether the person they are contacting is a member of Coinbase. If he or she is, first and last name of that user can be easily extracted.
Not that impressive? What if I told you there is no limit on these messages or no prevention of API abuse. This means that an attacker or spammer can iterate through hundreds of thousands of e-mails without being limited. After that, the e-mails that belong to verified Coinbase members can be targeted with phishing attempts.
“Before you get the impression that this isn’t a security flaw in itself, please let me explain.
Phishers can use this flaw for serious harm. I believe it is a security issue on Coinbase, which will merely assist mass, targeted phishing.”
It’s remarkably easy to obtain this data, Shubham wrote a full blog post about this where he shows the world how it is done. Obviously, many people will not agree with making this information widely available. After several failed attempts to contact Coinbase about this, Shubham decided this was the only way to get their attention. One could also argue that people behind phishing scams or hacking attempts are usually a step ahead of these things. Rest assured, the blog post holds nothing new for them.
To illustrate the problem even further, Shubham decided to perform such a phishing scam himself. No better way to convince somebody of a problem then by showing it to them, right?
After gathering 400 e-mail addresses that were distinctively associated with Bitcoins, he performed a test to see which of them was tied to a real Coinbase account and extracted first and last name of all owners. It took him about half an hour to gather these 400 addresses.
After that, it was easy to initiate a money transfer request to these accounts by abusing the Coinbase API. It did not take long before people started worrying.
Receiving such a mail from someone you know and presumably trust makes it less scary, but imagine when these things get mass-mailed by someone unknown? Like Shubham noted, this could harm Coinbase’s credibility.
No fix incoming
After a month of attempting to get in touch with Coinbase, Shubham finally received an answer yesterday.
“Thanks for your submission, Shubham. We are not considering account existence bugs to be high enough severity for our scope. This behavior is mostly informational to an attacker and does not directly increase risk in any significant way. We may consider updating this behavior in the future.
We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor. It is an important component in providing a positive user experience in any application. This stance is not unusual on the web: you’ll find that user enumeration is possible on Facebook, Google, and nearly every other major internet site. In Coinbase’s example, it’s absolutely critical that we’re able to notify our users when they attempt to request bitcoins from an invalid email address.”
It is true that user enumeration is possible on most major social media websites. At Coinbase, however, there is a lot of money present. A more careful approach could be necessary to earn customers’ trust. Shubham did good by making this public. The more people are informed, the less they will fall for a well-thought phishing attempt.