Coinbase has responded to a researcher's claims that the San Francisco-based Bitcoin exchange is vulnerable to information disclosure, user enumeration, and lack of rate limitation for sending money requests.
After failing to get an adequate response from Coinbase regarding what he thinks are significant bugs that can ultimately enable mass, targeted phishing attacks, Shubham Shah, an Australia-based web application pentester, posted his findings to his blog on Monday.
In the post, Shah details how to figure out if someone has a Coinbase account by just using their email address – known as user enumeration – and additionally shows how to derive a user's first and last names, when available, as well as send a large number of money requests.
Shah also included a timeline and the details of various email correspondences with Coinbase, as well as when he joined Hacker One – which helps run bug bounty programs – at the end of March and submitted his case for a second review.
In the end, Coinbase said that while Shah's research may warrant consideration in the future, it does not warrant a reward.
A Coinbase spokesperson chatted briefly on background with SCMagazine.com on Tuesday morning, but ultimately referred to a blog post published later in the day by Ryan McGeehan, Coinbase director of security, in which he addresses Shah's three main issues.
With regard to user enumeration, McGeehan said that it is “the norm” these days, citing Facebook, Google and Dropbox as examples of popular websites that are capable of the same thing, as well as payment services websites, including PayPal, Venmo and Square Cash.
As far as requesting money as spam is concerned, McGeehan said that it is a minor risk to users, but acknowledged that it is also an inconvenience. He said that Coinbase has implemented rate limits for those types of actions in order to prevent that kind of activity from being exploited on a large scale.
Shah could not be reached for comment by SCMagazine.com. In his blog post, Shah called out to the Bitcoin community for help in pushing Coinbase to address these issues.
In the Coinbase response, McGeehan added that a “leaked” list of emails and usernames – which accounts for less than a half of a percent of Coinbase's more than a million users – is not the result of a data breach.
“This list of emails was likely sourced from other sites – probably Bitcoin related ones,” McGeehan wrote. “It's clear there was no data breach because no other user information is provided.”