October 26th, 2016
At the end of February Shubham Shah notified in a blog post that a bug could cause huge harm to Coinbase worlds most popular Bitcoin exchange platform and it seems like hackers have exploited this security vulnerability Shubham has warned Coinbase about 4 months ago as hundreds of users are reporting on Reddit that they are receiving phishing emails from Coinbase asking them to make transactions to other users.
The exploit works as following: Making use of the request money feature, hundreds of thousands of emails can be checked and since there is no limit to the amount of requests you can send, hackers have used thousands of emails and see which ones are from people with a registered Coinbase account, these can then be targeted with phishing attempt.
“Before you get the impression that this isn’t a security flaw in itself, please let me explain.
Phishers can use this flaw for serious harm. I believe it is a security issue on Coinbase, which will merely assist mass, targeted phishing.”
Shubham has used the exploit it self, allowing him to extract 400 email addresses with the appropriate owners first and second name. After contacting Coinbase, they said the following:
We are not considering account existence bugs to be high enough severity for our scope