Phishing at the Coinbase: a bug or a feature?
Published at:
{{monthName}} {{dayTwoDigit}}
A Coinbase user with the pseudonym “shubh” has published a post in his blog describing what he calls a “major security flaw”. After reddit exploded with comments and reposts developers made their official statement on the issue, insisting that this is a feature rather than a flaw.
Spam tactics
The original problem that shubh’s report covers is that the service allows generation of unlimited money request emails, which come together with email address/ user enumeration on Coinbase. These issues lead to the disclosure of Coinbase account data. However, according to the activist, the root of all evil is the lack of limit on the aforementioned requests. This gives the perpetrators an edge, by allowing them to check hundreds of thousands of emails on their affinity to Coinbase.
While this may not have disastrous consequences, shubh believes that phishers can cause serious harm getting their hands on this kind of exploit. I will not go into technical details; more about that you can find in the original blog post.
Attempts at disclosure
More interesting though (unless your digital coins are held on Coinbase), is the fact that before shubh went public with this information, he had made several attempts at notifying the developer team about it.
In vain. There were no responses to the emails, tweets or reddit posts until finally someone named Julian replied to him/ her. However, shubh stated that the crux of the matter was not addressed.
Only when the reddit post went viral (due to the blog), developers decided to make a statement of their own and published a response.
Not a fault but a concept
The response, dry and official in mood, was nevertheless very detailed and explained every aspect of the developers’ take on the situation. Simply put, they acknowledge that their creation possess certain features, but:
“Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion. We have already implemented a number of things which make this type of activity less convenient for would-be spammers “
Not to be ignored
The reddit community split in half, where a part of users praised Coinbase for all the good it does referring to this as minor nuisance (or as they liked to put it, “growing pains”). The others were less positive, speculating on the fact that if it weren’t for reddit the issue would remain unaddressed.
Once again, public opinion made a difference. However, seeing the reluctance behind the developers’ answers, it is hard to say how much impact a group of people can make nowadays.