Share this article
Coinbase Android Apps Have Security Flaw, Expert Warns
A programmer says Android users of Coinbase's consumer and merchant apps are at risk of having their accounts hacked.
Updated Apr 10, 2024, 3:17 a.m. Published Jul 1, 2014, 11:10 a.m.
Make us preferred on Google
A Canadian programmer has published what he claims is a vulnerability in Coinbase's Android apps, one that could allow an attacker to gain full access to a user's account.
Software Engineer Bryan Stern went so far as to caution users not to use the Coinbase Bitcoin Wallet and Merchant apps for Android until the problem is fixed, and advised them to check their accounts for suspicious activity.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
However, the company has since responded to Stern in a reddit thread stating that the vulnerabilities were not as serious as Stern claims.
, who works on Android development at Hootsuite, said he'd brought the issue to Coinbase's attention via their 'white hat' bug bounty program in early March, but there had been a disagreement over the seriousness of the issue.
Upon finding his issue present in the latest version of the app, he decided to release the information publicly on 27th June in the hope that prompt action would be taken.
He wrote:
"I don't mean any harm posting this, but I am frustrated that some security fixes that might require maybe 20 [development] hours to implement and is allegedly on the roadmap 3 months ago has not yet been addressed."
The issue at hand
A lower level of security in the Android apps could allow eavesdroppers to launch a 'man in the middle' (MITM) attack against users, Stern said. He wrote in his report:
"Coinbase wisely recommends that all clients of their API should validate the SSL certificate presented to prevent MITM attacks. However, they fail to do this in their own Android applications."
Thanks to this, an attacker could present a 'spoofed' SSL certificate (anything with a valid signature but from a different signing authority to the one Coinbase uses) and intercept communications.
The client_id and client_secret items, part of the application's API that should be secret, are in clear view in Coinbase's source code published on GitHub, Stern continued. These would then be revealed during a user's authentication process and provide a hacker with the all-important access_token.
With an attack established, plus this stolen token, a malicious hacker could make API requests at a later time on the user's behalf – essentially taking full control over their account.
Stern recommended Coinbase change client_id and client_secret and keep them confidential in future. He also recommended all apps validate SSL connections properly, and that they make use of the Coinbase API's improved authentication process and stop using the deprecated one.
Coinbase
said the threat was a minor one only, and an attack could only be performed successfully under a specific, but unlikely, set of circumstances.
Client_id and client_secret were intended to be public and not defenses against hack attacks, a company representative said, and while SSL Pinning might help against some attacks, it was not a defense against all malware or local modification of certificates.
Bug bounty program
After having his claims initially rejected by Coinbase on 14th March, Stern then wrote a draft blog post warning the public about the issue and sent it to the company in April.
This too was rejected, so he opened a report on HackerOne, a site where ethical hackers dissatisfied with existing bounty programs can disclose vulnerabilities privately.
Coinbase paid Stern $100 but said it would not be fixing the issue, leading HackerOne to make the report public. When he found the issue still not fixed in the latest version (2.2) of Coinbase's apps, Stern decided to publish the report on his blog.
Coinbase's bug bounty program pays a minimum $1,000 in bitcoin to anyone who can find a valid security hole in its code, but the company "reserves the right to decide if the minimum severity threshold is met".
The company in April responded to claims in March that its 'Request Money' feature left users vulnerable to phishing attempts. The feature allowed a user to find out if an email address was attached to a Coinbase account by entering it into a search field.
Image via watcharakun / Shutterstock
More For You
Pudgy Penguins is building a multi-vertical consumer IP platform — combining phygital products, games, NFTs and PENGU to monetize culture at scale.
What to know:
Pudgy Penguins is emerging as one of the strongest NFT-native brands of this cycle, shifting from speculative “digital luxury goods” into a multi-vertical consumer IP platform. Its strategy is to acquire users through mainstream channels first; toys, retail partnerships and viral media, then onboard them into Web3 through games, NFTs and the PENGU token.
The ecosystem now spans phygital products (> $13M retail sales and >1M units sold), games and experiences (Pudgy Party surpassed 500k downloads in two weeks), and a widely distributed token (airdropped to 6M+ wallets). While the market is currently pricing Pudgy at a premium relative to traditional IP peers, sustained success depends on execution across retail expansion, gaming adoption and deeper token utility.
More For You
BNB rises 2.5%, nears $900 mark as prediction market growth signals utility expansion
A new physically backed BNB exchange-traded product launched on Nasdaq Stockholm, adding to existing investment options.
What to know:
- BNB token climbed 2.5% to $89e, approaching the $900 resistance level, with increased trading volume suggesting fresh buying interest.
- A new physically backed BNB exchange-traded product launched on Nasdaq Stockholm, adding to existing investment options like Grayscale's pending ETF filing.
- BNB Chain saw significant growth in prediction markets, with platforms like Opinion Labs logging over $700 million in 7-day trading volume and cumulative trading volumes crossing $20 billion.
Top Stories
