Pusher authentication did not take device confirmation into account.
This would allow an attacker with a valid session but an unconfirmed device to snoop on pusher updates like incoming transactions.
This issue was in the coinbase event notification Pusher, which allowed me to read notification off of Unconfirmed devices. The event Pusher was tied to the session, once the device was un-confirmed, the pusher remained intact leaving user transaction notifications including wallet ids at risk.
Coin base fixed the vulnerability by deploying two fixes: