A anonymous user today posted a partial list of Coinbase user names and email ids. The paste which is available here, starts with the phrase “Here is a partial list of Coinbase user emails and their full names. Full list much bigger.” It further adds that, “Coinbase provides your full transaction history to the FBI, FinCEN and IRS every day. They are under a gag order.” Simultaneously a Blogger, Shubham Shah posted a complete detailed Full Disclosure report of a flaw in the Bitcoin wallet service Coinbase that can be leveraged by cybercriminals to obtain information that can be used in targeted phishing campaigns. You can read the Full Disclosure Report here.
The author of this story too received a similar phishing mail on 10th March, 2014. The said mail, image of which is reproduced below, comes from a valid email id @coinbase.com however the link contained in the text was a link to the phishing website which asks for Coinbase credentials. Gmail rightfully identified it as spam and obviously has been blocking such kind of messages for some time now.
“I often come across security issues that have been introduced “by design” and in many cases, developers of web applications refuse to fix these design flaws. Phishers can use this flaw for serious harm. I believe it is a security issue on Coinbase, which will merely assist mass, targeted phishing.” Shubham said on his blog. Shubham himself tried the technique and found it to be very successful.
Shubham then contacted Coinbase about this very serious issue, Coinbase gave Shubham a curt reply.
“Thanks for your submission, Shubham. We are not considering account existence bugs to be high enough severity for our scope. This behavior is mostly informational to an attacker and does not directly increase risk in any significant way. We may consider updating this behavior in the future.
We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor. It is an important component in providing a positive user experience in any application. This stance is not unusual on the web: you’ll find that user enumeration is possible on Facebook, Google, and nearly every other major internet site. In Coinbase’s example, it’s absolutely critical that we’re able to notify our users when they attempt to request bitcoins from an invalid email address.”
This message may have been taken at its face value but for the leaks on Pastebin. After the dramatic collapse of Mt.Gox, both Shubham’s report and pastebin leak point towards something dire happening at Coinbase.
