Coinbase

Date: 2014-04-01

Coinbase has a Request money feature which sends email to any email address through Coinbase service.

Coinbase did not throttle sending actions allowing anyone to send infinite number of Request money emails. Furthermore the feature exposed if any email had an associated account on Coinbase service.

The security researcher reported the issue to Coinbase through whitehat program. Coinbase marked the issue as “WONTFIX” one month later. It was not until a publicly demonstrated exploit when Coinbase took action. In this point, it had become common prank and harrashment to send these emails.

Coinbase started to throttle the action. The company received PR damage as the user community did not find the initial response of Coinbase sufficient and questioned the security of Coinbase as a whole.

Related evaluation points:

• Whitehat program
• Flood action throttle

Links:

• Coinbase design allows for mass, targeted phishing of its users (Shubham Shah)
• Coinbase denies security breach, defends spamming-friendly features (Help Net Security)
• Update on Coinbase Data Security