The major crypto exchange, Coinbase, revealed that 3500 customers e-mailed regarding a bug on the sign-up page. This caused some registration details to store in the internal web server logs as clear text. Coinbase Discloses Password Bug Affecting 3500 Customers.

While the company is confident that the logged information not improperly accessed, misused, or compromised. In spite of that, it still requested customers to change their passwords as a best-practice precaution.

The company explained in a blog post:

“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail…..Unfortunately, it also meant that the individual’s name, email address, and proposed password would be sent to our internal logs.”

Coinbase Discloses Password Bug Affecting 3500 Customers. In the 3,420 instances, users successfully registered using a hash password corresponding to the one previously logged.

The bug occurred due to the use of server-side rendering from React.js on the signup page. Basically, when a customer visits the account sign-up page, React helps show the form that needs to be completed.

The blog explained:

“Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly. In virtually all circumstances, both of these things are true and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form.”

“We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future.”

Concluding:

“As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.