Coinbase: Captcha Bypass in Coinbase SignUp Form

2017-07-07T07:33:35
ID H1:246801
Type hackerone
Reporter tejpratap
Modified 2017-09-05T17:09:43

Description

Vulnerability description:

The g-recaptcha-response is not validated on the server-side when submitting a Signup form to the endpoint. Any or no value can be provided for this header

Step to reproduce:

  1. https://www.coinbase.com/signup
  2. Fill the input field and Validate the captcha.
  3. Trun on Brurp submit form and capture the request.
  4. Remove the g-recaptcha-response( response value) and foreword it.

Impact. Fake accounts can be created. Also username enumeration can be performed because no application will allow two email to choose same email.