Australian web application pentester Shubham Shah says he has identified a flaw in the Bitcoin wallet service Coinbase that can be leveraged by cybercriminals to obtain information that can be used in targeted phishing campaigns.
The issue exists because Coinbase allows customers to send unlimited money requests. The expert has found that if he sends a specially crafted request that contains the email address of the targeted individual and the attacker’s cookie in the Cookie HTTP header, he can determine if the address’ owner is a Coinbase customer.
If the email address exists, the attacker gets confirmation along with the victim’s full name.
No sensitive information is exposed, but it can be highly useful for cybercriminals to learn if the owner of a certain email address is a Coinbase user and their complete name.
“The major security flaw, is not just the fact that full names are disclosed, but more so that there is no rate limiting or prevention of API abuse,” Shah explained.
“This means that an attacker/spammer can iterate through hundreds and thousands of emails without being limited, and can potentially pick out the emails which are confirmed to be members of Coinbase.”
To demonstrate his findings, the researcher gathered around 400 unique email addresses associated with Bitcoins (it took him around 30 minutes to do it). He sent them Bitcoin requests and managed to identify which of them belonged to Coinbase users and the owners’ full names.
Shah first reported his findings to Coinbase via the company’s “whitehat” email address on February 28. He sent two other emails and a number of reminders over Twitter, but his notifications were ignored.
That was until March 24 when he posted the details of his findings to Reddit. The next day, someone from Coinbase sent him an email, but they failed to see the issue as a security problem. On March 29, Coinbase joined HackerOne’s bug bounty management platform so Shah submitted another report via HackerOne.
On March 31, he received the final response: Coinbase will not address the issue. On Monday, the expert published a blog post detailing his findings in hopes of convincing the Bitcoin community that this was a security issue worth fixing. Tens of Bitcoin users have already tweeted to Coinbase in an attempt to convince the company to address the problem.
We’ve reached out to Coinbase to see if they can justify their decision to leave this bug unaddressed.
Update. It appears someone is trying to demonstrate that this issue should be taken more seriously by Coinbase. A list of 2,000 names and email addresses has been published to Pastebin, and someone is sending out "Coinbase has been hacked" emails.