Friday 31 December 2021

Coinbase Pro security flaw exploitable

This is a zero day exploit of Coinbase Pro, as far as I know.

I emailed the Support and warned them I would publish if they didn’t fix it and they did not reply.

Anyone sniffing traffic on the open web can easily gather personal details of Coinbase Pro transactions, including: - email address - amount of BTC - Receive address

Of course once chain analysis companies get the receive address they can uncover much more detail including other holdings and counterparty addresses.

The key here is to know the following about email protocol: on the internet the email addresses and the subject line of an email are plain text, unencrypted!

Here is how it works:

1/ A coinbase customer buys Bitcoin on Coinbase

2/ Like all good bitcoiners, as soon as possible, they send their bitcoin to a self-custody wallet.

3/ When you take that action Coinbase Pro emails you with the Subject line containing BTC Amount and Receive Address

4/ Any one monitoring network traffic can see in plain text your email, your BTC and your wallet address

With this info they can search the web for sources tying your email to your name, address, and phone number.

I always knew Coinbase was scammy but this is criminal negligence.

Are they doing it to T-up data for the chain analysis companies they invest in or for a backdoor revenue stream from government? I don’t know.

But I know this is beyond “dont use it because they sell shitcoins” territory and well into “dont use it unless you want to be attacked” territory.

example subject line where 0.0 BTC is amount and Z is address



Submitted December 31, 2021 at 01:18AM by FrontpageNYTimes https://bit.ly/3pK3gT6

No comments :

Post a Comment