San Francisco-based bitcoin wallet provider Coinbase formally responded to community concerns relating to a design function of its ‘Request Money’ service on 1st April, amid reports that suggested this service could be misused by phishers and fraudsters.
The response was issued after a Pastebin entry surfaced suggesting that roughly 2,000 Coinbase customer names and emails were compromised as part of a “data breach” of the site, rumours that caused widespread speculation on reddit and social media.
Speaking to CoinDesk, the company clarified that, although certain user personal information was posted online, the event was not a data breach, but rather an exploitation of a feature common to popular tech services. Malicious users, it noted, can use an email address to determine if someone has an account on other payment services such as PayPal, Square Cash and Venmo – a process called email enumeration.
Wrote the company in its official response:
“Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion.”
Coinbase’s Request Money feature allows users to request funds by entering an email address. If the recipient is a Coinbase user, the website generates a return email complete with the individual’s first and last name, provided they used their real name to register with the service.
However, at least one security official has expressed concern that such information could be used by malicious parties to commit larger fraud.
Origin of the dispute
This functionality was brought to light to the bitcoin community by Australia-based security researcher Shubham Shah, who posted his frustrations on his blog. That post detailed a step-by-step process of how to conduct email enumeration using Coinbase, and lashed out against the company for not taking measures to address his concerns.
Coinbase reviewed the “design flaw” as submitted by Shah, but informed him that it would not be looking to implement a fix or issuing a reward for the finding. As such, he decided to publish the claim on his blog.
According to a timeline posted by Shah, the developer first contacted Coinbase on 28th February. The communication was part of a series of correspondences that ended on 31st March, when Shah indicates Coinbase confirmed it had closed his bug report.
Speaking to CoinDesk, Shah indicated that as a security researcher, he felt the responsibility to bring the issue to the community so that it could be addressed. Further, he claimed no affiliation with the subsequent PasteBin posting of customer names and email addresses.
Coinbase’s blog post explained that despite claims circulating online, the design feature was intentional, and meant to increase the usability of its service. Further, it stated that not implementing a limit on the number of emails that can be generated via its service serves a specific use case.
“Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API.”
In a message dated 31st March, a Coinbase representative offered the company’s internal assessment to Shah via HackerOne, an online organisation of security experts that coordinates rewards for hackers who contribute to a safer Internet.
“We are not considering account existence bugs to be high enough severity for our scope. This behaviour is mostly informational to an attacker and does not directly increase risk in any significant way. We may consider updating this behaviour in the future but do not feel it warrants a reward.”
The representative elaborated that allowing lists to be invoiced was a key aspect of its service, and that it “would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing”.
In its blog post, Coinbase indicated that only a very small amount of users – less than 0.5% – were named in the user data post today. In addition, it went on to describe why it believes such attacks are incredibly unlikely.
Said Coinbase: “This list of emails was likely sourced from other sites – probably bitcoin-related ones.”
The company said that malicious users would need to first acquire email addresses, which aren’t publicly available online, then send money to recipients who, in turn, would have to choose to send money to unknown users.
Shah indicated that the design flaw is important due to the nature of bitcoin’s design.
“You’re not dealing with a normal account. You’re dealing with an account that holds digital currency, which is irreversible. It’s a little more serious.”
Coinbase acknowledged this concern, though it said it believes it represents a low fraud risk, and is more threatening to users as a spam issue.
Coinbase indicated in its blog post that it is taking the issue of spamming seriously, noting that it employs rate limits on sensitive actions such as requesting money so that they aren’t widely abused.