Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAndrom3daH1:55827
HistoryApr 11, 2015 - 3:14 a.m.

Coinbase: iframes considered harmful

2015-04-1103:14:20
androm3da
hackerone.com
8
JSON

The Coinbase API offers an iframe payment option. iframes are attractive because they allow Coinbase’s customers to give the illusion that the Bitcoin transaction is embedded entirely within the customer’s website. But customers can (and do) refer to that iframe on insecure connections. Hijacking a transaction that’s executed this way is not at all difficult.

One prominent customer (The United Way) hosts an iframe in just this fashion:
http://www.unitedway.org/pages/donate-bitcoin-to-united-way

I’d recommend the following suggestions:

Bar this use of iframes altogether, by deleting the feature from the API.

OR

Refuse to serve up the requested iframe content if the HTTP_REFERER header is set (return 403 or similar). This would be effective for customers designing new Coinbase-API-iframe features because all of their testing/experimentation would fail if connected insecurely. This depends on User Agents accepting the advice in RFC 2616: “Clients SHOULD NOT include a referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol”, most of which do.

This option leaves some risk that a customer might test this feature using a browser designed or configured to never offer the referer header. Also, it does not directly solve the problem for existing customers.

Is this a Coinbase vulnerability?

Given that the misconfiguration/error appears to originate at Coinbase’s customers’ sites, how can Coinbase be held responsible? Among trust systems, errors often occur at the interface between different realms. This case is a classic example. “39,000 Businesses Trust Coinbase To Integrate Bitcoin Payments” and they’d be disappointed to learn that some businesses lost money while they were using Coinbase to clear their bitcoin transactions.

It’s a shame that some web developers wouldn’t see the risk in having their financial-transaction-page communicated insecurely. But indeed, some just don’t see that risk. Coinbase’s API documentation makes no explicit indication about how Coinbase customers must secure their connection with their downstream customers, in order to protect those references to Coinbase. And Coinbase’s customers may think that the fees that they pay for transactions are such that they shouldn’t need to secure their own websites.

Sample exploit

Attached is coinbase_iframe_exploit/intercept_cb.py, a mitmproxy script, and coinbase_iframe_exploit/cb.html, the content to be injected in lieu of a legitimate iframe reference to Coinbase.

Using this script and mitmproxy I can hijack a donation page and accept donations to my bitcoin address instead. I tested this on The United Way and it was effective, I saw my address instead of Coinbase’s. The testing was executed with mitmproxy local to my laptop exclusively.

Your move

Leaders lead. While it may sound scary to drop a feature that the competition has had for a while, it’s what I think Coinbase needs to do in order to “be the trusted brand in the space."

JSON