Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeronePrakharprasadH1:5314
HistoryMar 31, 2014 - 6:12 a.m.

Coinbase: Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code

2014-03-3106:12:33
prakharprasad
hackerone.com
32
JSON

Hi,

There’s a simple bug here, the Coinbase Android App. β€œBitCoin Wallet” leaks the OAuth Response Code which can be obtained using adb logcat -s Coinbase command line for testing, and any Android application on the same phone can read the response code for the user by reading the logs. As of now nothing can be harmed with OAuth Response code, but along with the hardcoded client secret we can obtain the access_token.

This bug is similar to this - http://attack-secure.com/all-your-facebook-access-tokens-are-belong-to-us/

So using the stolen response code and client secret we can derive the access_token

POC: https://www.dropbox.com/s/zionksi1pt7lot5/Coinbase-Android.mov

JSON