Coinbase: Information disclosure of user by email using buy widget

2016-10-15T14:38:42
ID H1:176002
Type hackerone
Reporter cablej
Modified 2016-11-16T18:59:46

Description

In the Coinbase Buy Widget flow, we were displaying the last 4 digits of a user's phone number for verification purposes (e.g. "we've send a code to xxx-1234"). Industry standard seems to be 2 digits instead of 4, so we now mask all but the last 2 digits.