Coinbase Confesses: Buggy Signup Page Logged 3,420 Passwords in Unencrypted Form

Siamak Masnavi

Coinbase revealed on Friday (August 16) that a bug in their signup ("create account") page resulted in registration details (such as full name, email address, and passwords) for 3,420 customers to get logged in clear text in their internal web server logs.

What Happened

Coinbase's blog post says that under "a very specific and rare error condition," the registration form in their signup page "wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail."

Sadly, this resulted in the name, email address, and proposed password of the individual concerned to be saved in clear text (i.e. in unencrypted form) on Coinbase's internal logs.

If the person trying to register "reloaded the page and then submitted the form for a successful registration," the aforementioned registration information would not get logged (which is the correct behavior), and the proposed password would get "securely hashed," but in 3,420 instances, the user "successfully registered using a password with a hash that matched the one previously logged" (which is obviously not a good thing since it means that, in theory, certain Coinbase employees had access to the passwords for these new customers). 

How Coinbase Dealt With the Situation

Coinbase did several things to deal with this situation:

  • Managed to quickly identify and fix the bug.
  • Discovered "all the places where these logs might have ended up."
  • Extensively reviewed access to its internal logging system (hosted on Amazon's AWS), which is visible to "a small number of log analysis service providers"; this review "did not reveal any unauthorized access to this data."
  • Activated a password reset for all 3,420 affected customers despite the fact that knowing someone's password is not enough to gain access to that person's account since Coinbase's "device verification emails" and compulsory Two-Factor Authentication (2FA) mechanism would have "blocked any unauthorized login attempts."
  • Sent email to all 3,420 impacted customers to let them know what had happened and request that they choose new passwords.

Conclusion

Although it is easy to criticize Coinbase for not having had a perfect 100% defect-free implementation (even though bugs in almost any software system are practically inevitable), Coinbase should be highly commended for being so transparent with its customers by publicly making a full disclosure.

Finally, it is worth acknowledging that Coinbase has "an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date."

Featured Image Courtesy of Coinbase

OKEx Was the Top Crypto Derivatives Exchange in September, Report Shows

Leading cryptocurrency exchange OKEx was the top crypto derivatives exchange in the month of September, trading a total of $90.3 billion in total. Huobi followed suit, trading $84 billion.

According to CryptoCompare’s September 2019 Exchange Review, the crypto trading platform represented 33.7% of the daily derivatives volumes, trading $3.08 billion per day. Behind OKEx was Huobi with $2.82 billion traded a day, followed by BitMEX’s $1.88 billion.

Cryptocurrency exchanges like Deribit and CryptoFacilities, which is FCA-regulated, represented only $334 million and $74 million a day, respectively.

Top derivatives exchangesSource: CryptoCompare Exchange Review

The report notes that the most traded derivatives product by trading volume was BitMEX’s perpetual BTC futures contract, as its total trading volume for the month was of $41.7 billion. Other top traded products were BTC futures contracts expiring on September 27, with Huobi’s contract seeing $23.3 billion traded, while OKEx saw $17.4 billion traded.

OKEx’s lead when it comes to cryptocurrency derivatives was likely derived by its offering. The cryptocurrency exchange has various futures contracts being offered on its website – not just for BTC but for other top cryptocurrencies like BCH, BSV, EOS, XRP, and TRX.

Similarly the cryptocurrency exchange, which earlier this year announced it’s working on developing global compliance standards for cryptocurrency exchanges through a Self-Regulated Organization (SRO), offers perpetual swaps for these cryptos.

As CryptoGlobe reported, CryptoCompare’s report for August found similar results when it came to OKEx. Despite a market-wide drop in terms of derivatives trading volumes, the cryptocurrency exchange managed to capture over one-third of the market in August.

CryptoCompare’s September 2019 Exchange Review also found that lower-rated cryptocurrency exchanges – according to its Exchange Benchmark Ratings – have been gaining market share in terms of spot volumes.

Per the report, exchanges with an “E” rating represented a total trading volume of $179 billion in September, after seeing an increase of over 30% from the prior month. Exchanges like OKEx, which is A-rated, represented a smaller piece of the pie, with only 14.3% of the market share.