Coinbase: OAUTH pemission set as true= lead to authorize malicious application

2015-09-05T01:31:17
ID H1:87561
Type hackerone
Reporter paresh_parmar
Modified 2015-12-01T14:26:06

Description

OAuth authorize button in the Coinbase Android App did not have the android:filterTouchesWhenObscured attribute set to true, which may have made it vulnerable to tap-jacking.

Reported UI Redressing (Clickjacking) For Mobile application of Coinbase , attack scenario is same as www.paulosyibelo.com/2015/06/no-xfo-youre-d-silly-bugs-with-real-harm.html which is reported by @paulos_