Bryan Stern Software Engineer warned users not to use the Coinbase Bitcoin Wallet and Merchant apps for Android until the problem is fixed, he also recommended that they should search for any suspicious activity in their accounts.
However, the company posted on a reddit in response to Stern’s announcement claimingg that the vulnerabilities were not as serious as Bryan Stern states.
Stern, a software engineer who works in Android development team at Hootsuite, said he’d revealed the problem to Coinbase’s in early March, but the issue wasn’t considered as a big deal.
Upon finding his issue present in the latest version of the app, Mr. Stern decided to reveal the information publicly on 27th June hoping that needed action would be taken.
He wrote: “I don’t mean any harm posting this, but I am frustrated that some security fixes that might require maybe 20 [development] hours to implement and is allegedly on the roadmap 3 months ago has not yet been addressed.”
He also added in his report: “Coinbase wisely recommends that all clients of their API should validate the SSL certificate presented to prevent MITM attacks. However, they fail to do this in their own Android applications.”
The client_id and client_secret items – the secret parts of the application’s API, are viewed in Coinbase’s source code published on GitHub, Stern mentioned. Moreover, during a user’s authentication process all the disclosed information would give a hacker the all-important access_token.
With a stolen token and established attack, a hacker could make API requests on the user’s behalf and eventually take a full control over their account.
Furthermore, understanding the importance of the problem Mr. Stern advised Coinbase change client_id and client_secret items and keep the information confidential in future. He also suggested all apps prove SSL connections properly, and that they shoud use the Coinbase API’s improved authentication process and stop using the deprecated one.
However Coinbase claimed the threat wasn’t a big one, and it would be unlikely for a hacher attack to happen. One of the company representatives also commented that client_id and client_secret were intended to be public and not defenses against hack attacks.
The initial claims that were sent in March were rejected. As a result Mr. Stern posted a warning in a blog making the issue public and then sent it to the company in April.
However, that claim was also rejected so he opened a report on HackerOne, a site where hackers can disclose their thought about programs vulnerabilities privately.
After that, Coinbase paid Stern $100 however said it would noteliminate the problem, leading HackerOne to make the report public. When the issue still wasn’t fixed in the latest version (2.2) of Coinbase’s apps, Stern published the report on his blog.
Finally, in April the company answered to claims in March that its ‘Request Money’ feature left users vulnerable to so called phishing attempts. The feature allowed a user to see if an email address was attached to a Coinbase account.