Coinbase revealed a potential vulnerability by announcing that a small part of its customers’ passwords was stored as simple text, thus not encrypted, on a server’s internal registry. However, the exchange stressed that the information was not accessed by third parties.
The problem in the registration form
Coinbase described a problem with password storage, which affected about 3500 customers.
The bug caused personal information, including passwords, to be saved in plain text within the registration systems.
“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs”.
The customers involved were promptly notified by Coinbase via e-mail.
“We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future”.
The exchange rightly wanted to make it clear, reassuring its customers, that:
“A thorough review of access to these logging systems did not reveal any unauthorized access to this data. Access to each of the systems is tightly restricted and audited”.
The security issue
Coinbase seems to be always very attentive to the security issue and not surprisingly has a reward program for bugs active on HackerOne, which so far has already rewarded over a quarter of a million dollars.
“While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems”.
The exchange stated that they also activated mandatory password reset for each person whose account was affected by the bug. In addition, for added security, it required the reactivation of two-factor authentication.
“While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution”.