Coinbase: Transactions visible on Unconfirmed devices

2015-11-17T17:15:44
ID H1:100186
Type hackerone
Reporter shahmeer-amir
Modified 2015-12-11T08:20:24

Description

Pusher authentication did not take device confirmation into account.

This would allow an attacker with a valid session but an unconfirmed device to snoop on pusher updates like incoming transactions.

This issue was in the coinbase event notification Pusher, which allowed me to read notification off of Unconfirmed devices. The event Pusher was tied to the session, once the device was un-confirmed, the pusher remained intact leaving user transaction notifications including wallet ids at risk.

Coin base fixed the vulnerability by deploying two fixes: 1. Changing the Pusher channel and the session Channel 2. Monitoring device confirmation notifications on the application