Date: 2014-04-01

Coinbase has a Request money feature which sends email to any email address through Coinbase service.

Coinbase did not throttle sending actions allowing anyone to send infinite number of Request money emails. Furthermore the feature exposed if any email had an associated account on Coinbase service.

The security researcher reported the issue to Coinbase through whitehat program. Coinbase marked the issue as “WONTFIX” one month later. It was not until a publicly demonstrated exploit when Coinbase took action. In this point, it had become common prank and harrashment to send these emails.

Coinbase started to throttle the action. The company received PR damage as the user community did not find the initial response of Coinbase sufficient and questioned the security of Coinbase as a whole.

Related evaluation points: