The major crypto exchange, Coinbase, revealed that 3500 customers e-mailed regarding a bug on the sign-up page. This caused some registration details to store in the internal web server logs as clear text. Coinbase Discloses Password Bug Affecting 3500 Customers.
While the company is confident that the logged information not improperly accessed, misused, or compromised. In spite of that, it still requested customers to change their passwords as a best-practice precaution.
The company explained in a blog post:
“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail…..Unfortunately, it also meant that the individual’s name, email address, and proposed password would be sent to our internal logs.”
Coinbase Discloses Password Bug Affecting 3500 Customers. In the 3,420 instances, users successfully registered using a hash password corresponding to the one previously logged.
The bug occurred due to the use of server-side rendering from React.js on the signup page. Basically, when a customer visits the account sign-up page, React helps show the form that needs to be completed.
The blog explained:
“We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future.”
“As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems.”