Coinbase Explains Why User Enumeration Bug Does Not Pose a Security Risk

The company has implemented some measures to discourage spammers

By on April 2nd, 2014 08:06 GMT

On Monday, Australian security expert Shubham Shah revealed the existence of a Coinbase bug that could be leveraged by cybercriminals for targeted phishing attacks. The Bitcoin wallet service still thinks the issue doesn’t pose a security risk, but the company has taken some steps to limit potential attacks.

Shah has found that due to the fact that unlimited money requests can be sent by Coinbase users, an attacker could send specially crafted requests that could enable him/her to determine if a certain email address belongs to a Coinbase customer. If the address does belong to a user, their name is returned in the response.

The expert has made an experiment with 400 unique email addresses associated with Bitcoin users.

Coinbase representatives have clarified why they don’t think that this is a security issue. First of all, sending invoices to an arbitrary number of email addresses is a feature, not a bug.

“Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API, which is rate limited,” Coinbase representatives noted.

They added, “This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.”

Furthermore, the company highlights that user enumeration is possible on numerous high-profile websites, including Google, Facebook, Dropbox and even payment services like PayPal.

As far as the disclosure of names is concerned, Coinbase points to its Privacy Policy, which clearly states that the contact information will be shared. On the other hand, the company doesn’t require users to share their name when registering an account.

Shortly after Shah published his findings, someone leaked a list of 2,000 Coinbase email addresses and user names.

“This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites - probably Bitcoin related ones. It’s clear there was no data breach because no other user information is provided,” Coinbase explained.

While it doesn’t believe that these issues pose a significant risk to customers, Coinbase has already started implementing some measures to discourage spammers.

“For example, we employ rate limits around sensitive actions, such as requesting money, to prevent them from being abused at scale. We’re fine tuning this existing rate limiting to make it more restrictive,” the wallet service’s representatives explained.

Comments