Coinbase Confesses: Buggy Signup Page Logged 3,420 Passwords in Unencrypted Form

Siamak Masnavi

Coinbase revealed on Friday (August 16) that a bug in their signup ("create account") page resulted in registration details (such as full name, email address, and passwords) for 3,420 customers to get logged in clear text in their internal web server logs.

What Happened

Coinbase's blog post says that under "a very specific and rare error condition," the registration form in their signup page "wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail."

Sadly, this resulted in the name, email address, and proposed password of the individual concerned to be saved in clear text (i.e. in unencrypted form) on Coinbase's internal logs.

If the person trying to register "reloaded the page and then submitted the form for a successful registration," the aforementioned registration information would not get logged (which is the correct behavior), and the proposed password would get "securely hashed," but in 3,420 instances, the user "successfully registered using a password with a hash that matched the one previously logged" (which is obviously not a good thing since it means that, in theory, certain Coinbase employees had access to the passwords for these new customers). 

How Coinbase Dealt With the Situation

Coinbase did several things to deal with this situation:

  • Managed to quickly identify and fix the bug.
  • Discovered "all the places where these logs might have ended up."
  • Extensively reviewed access to its internal logging system (hosted on Amazon's AWS), which is visible to "a small number of log analysis service providers"; this review "did not reveal any unauthorized access to this data."
  • Activated a password reset for all 3,420 affected customers despite the fact that knowing someone's password is not enough to gain access to that person's account since Coinbase's "device verification emails" and compulsory Two-Factor Authentication (2FA) mechanism would have "blocked any unauthorized login attempts."
  • Sent email to all 3,420 impacted customers to let them know what had happened and request that they choose new passwords.

Conclusion

Although it is easy to criticize Coinbase for not having had a perfect 100% defect-free implementation (even though bugs in almost any software system are practically inevitable), Coinbase should be highly commended for being so transparent with its customers by publicly making a full disclosure.

Finally, it is worth acknowledging that Coinbase has "an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date."

Featured Image Courtesy of Coinbase