Coinbase responds to information disclosure, user enumeration, other concerns

Share this article:
The Bitcoin community has banded together to offer a crowd-funded $10,000 bounty.
Coinbase responded to a researcher's claims that the Bitcoin exchange is vulnerable.

Coinbase has responded to a researcher's claims that the San Francisco-based Bitcoin exchange is vulnerable to information disclosure, user enumeration, and lack of rate limitation for sending money requests.

After failing to get an adequate response from Coinbase regarding what he thinks are significant bugs that can ultimately enable mass, targeted phishing attacks, Shubham Shah, an Australia-based web application pentester, posted his findings to his blog on Monday.

In the post, Shah details how to figure out if someone has a Coinbase account by just using their email address – known as user enumeration – and additionally shows how to derive a user's first and last names, when available, as well as send a large number of money requests.

Shah also included a timeline and the details of various email correspondences with Coinbase, as well as when he joined Hacker One – which helps run bug bounty programs – at the end of March and submitted his case for a second review.

In the end, Coinbase said that while Shah's research may warrant consideration in the future, it does not warrant a reward.

A Coinbase spokesperson chatted briefly on background with SCMagazine.com on Tuesday morning, but ultimately referred to a blog post published later in the day by Ryan McGeehan, Coinbase director of security, in which he addresses Shah's three main issues.

With regard to user enumeration, McGeehan said that it is “the norm” these days, citing Facebook, Google and Dropbox as examples of popular websites that are capable of the same thing, as well as payment services websites, including PayPal, Venmo and Square Cash.

As far as requesting money as spam is concerned, McGeehan said that it is a minor risk to users, but acknowledged that it is also an inconvenience. He said that Coinbase has implemented rate limits for those types of actions in order to prevent that kind of activity from being exploited on a large scale.

“For individuals who list a name, our product and Privacy Policy make it explicitly clear that this contact information can be displayed – and in turn, make Coinbase a more human user experience,” McGeehan wrote in response to Shah's information disclosure concerns.

Shah could not be reached for comment by SCMagazine.com. In his blog post, Shah called out to the Bitcoin community for help in pushing Coinbase to address these issues.

In the Coinbase response, McGeehan added that a “leaked” list of emails and usernames – which accounts for less than a half of a percent of Coinbase's more than a million users – is not the result of a data breach.

“This list of emails was likely sourced from other sites – probably Bitcoin related ones,” McGeehan wrote. “It's clear there was no data breach because no other user information is provided.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.