There's another bug when you can substitute coinbase's iframe with your own, when you use coinbase button. This iframe can ask for username / password, and there's no way for user to distinguish fake iframe from real. They also not into replying emails on their whitehat@ address.
<i>"Initially, Coinbase ignored me. My succession of emails to their official "whitehat@coinbase.com" domain were ignored until I posted that they weren't replying on reddit"</i><p>Deja vu, man.
Meh, this is an extremely poor bug report despite the super-serious introductory tone. The "proof of concept" makes no sense. Quoting:<p><i>1. Scrape email addresses from bitcoin related websites, and organise them into a large list.</i><p>This has nothing to do with Coinbase.<p><i>2. Test for emails which are actual Coinbase accounts, and extract their First and Last names, associated to the emails.</i><p>Ok...<p><i>3. All sorts of panic happens.</i><p>Huh? How?<p>To prove "panic" he then leaps to a screenshot someone posted to Twitter of a money request email he generated. However,<p>a) It's not clear whether this was sent via the coinbase money request feature or whether it was spoofed (or why it would even need to be spoofed).<p>b) It doesn't even show usage of a firstname or lastname to "assist" in the spoofing.. which was the whole point of the bug report.<p>So it remains to be demonstrated how the exposure of firstname/lastname could be exploited to significantly assist phishing, especially when weighed against the other design tradeoffs -- like accidentally irreversibly sending money to the wrong person.<p>The lack of responsiveness to the whitehat email is the bigger problem here, but now that they've joined HackerOne perhaps that will improve.
Olaf from Coinbase here.<p>Ryan McGeehan of our security team has posted an official response at the bottom of this page:<p><a href="https://hackerone.com/reports/5200" rel="nofollow">https://hackerone.com/reports/5200</a>
I received a phishing email from the author. I guess he must have scraped my email address from a blog post I wrote about bitcoin and coinbase.<p>While I am glad he has made attempts to contact Coinbase, I felt like live execution of the attack was spammy, so my first instinct was the block the domain of the sender's email, which Coinbase passes through to me. In execution of his proof of concept, the author is likely badly ruining his spam score / sender score.
This is obviously a serious issue. One way to mitigate it is to use email addresses that have specific purposes.<p>firstinitiallastname@gmail.com is my "public" email address that is used for friends and what not.<p>genericemail@gmail.com is the email address I use for many retail sites.<p>I then have an email address dedicated to each commonly used site (Amazon, Coinbase, etc).<p>I also have Google two-factor authentication turned on for each email.
Apparently these names and email addressed have been gathered:<p><a href="http://pastebin.com/RzWipJFb" rel="nofollow">http://pastebin.com/RzWipJFb</a><p>Source:<p><a href="http://www.reddit.com/r/Bitcoin/comments/21wx59/coinbase_emails_and_names_leaked/" rel="nofollow">http://www.reddit.com/r/Bitcoin/comments/21wx59/coinbase_ema...</a>
On the screenshow of Humayun Khan's tweet it says "Click here to create an account". Does this mean that every email address that's not signed up with Coinbase yet will also get an email?
Ever so slight mitigation of this is that Coinbase uses SPF, but they use SPF with a fairly open list (just phish via Amazon SES, Mailgun, etc.). So phishing mail has some chance of getting marked down as spam by recipients if you make it appear to be from coinbase.com.<p>I'd probably go all-out and send from coinbasemail.com though.
Divulging a name when presented with an email address is pretty bad and I'm not sure why it would be necessary.<p>Just confirming that an email address is in the system is fairly minor.
As someone who studies human nature I'd like to ask this question of the OP and anyone else who cares to answer. I'd seriously like to know this.<p>Why do people spend extensive time [1] documenting security flaws like this [2] and going to the trouble of informing the company. And then if that doesn't work take more time to write up a blog post to get the info out?<p>What do they gain by doing so exactly? Is this a play for internet notoriety? Or a way to gain attention that results in future fame that leads to something later?<p>Or, is it as simple as it just makes them feel good (like "hey why do you play poker") or is it they believe they are making the world a better place?<p>[1] Because this took considerable time.<p>[2] Yes I know the OP indicates he is a "Information Security Enthusiast".
I am curious why Coinbase is not rate limiting that API call (temp-fix) or addressing this yet (even privately)?<p>Granted it is not a critical flaw, but is having no limits over time really necessary for Coinbase API users?
I don't know if it's related or not, but their website is running horribly slow right now. Took me about five minutes to initiate a buy order, as most clicks were non-responsive or took ages to load.