1) It's possible to determine if someone has a Coinbase account (no rate limit)
2) It's possible to find out someone's name if they have a Coinbase account (no rate limit)
3) Coinbase can be used to spam people through unsolicited messages (no rate limit).
Their response basically equates to "so what, nothing's wrong". They ignored the initial reports and marked the bug as won't fix.
Someone used this vulnerability to pull a bunch of example addresses and their response is "so what, nothing's wrong, probably wasn't us".
But these are three serious issues.
1) Why should anyone be able to figure this out without being a registered application? This is especially true given #3. And the lack of rate limiting is just irresponsible.
2) Why should anyone be able to ask Coinbase what my name is? Even if they allowed that, why can you do it without being a registered user of their API? Again, the lack of rate limiting is also irresponsible.
3) I understand it's purposeful that they'll treat anyone as having an account for the purposes of on boarding, that make sense. But the ability to send emails to anyone on the internet without risking my reputation is asking for trouble. Again, this should be heavily rate limited unless you've registered with them. Anyone can sign up for an Amazon SES account, but you have to go through a few hoops before you can start sending out 500 messages a second.
These statements read like Baghdad Bob to me. We don't agree, nothing is wrong, go about your business as if nothing had happened.
If their initial response was "that's all correct, we're looking into rate limiting and maybe requiring you to register to make API calls" that would have been the end of it.
If I want to send money to someone, I should call Coinbase and they should send the request. The response to me should be "sent" or "error". Imagine if whenever I paid a bill with my credit card the return was not just "success" or "failure" but "success", "current balance", and "mother's maiden name". Disclosing that extra information is totally unnecessary.
The name is optional, and you can supply it to make the experience nicer. If you don't plan on using Coinbase this way, don't supply a name.
Making things easy to use is the answer to your question. Rate limiting might help a tiny bit, but you can just register multiple accounts to get around it. (And no doubt someone would do that and make a fuss about it.)
Many people will take the feature of presenting the name, so you have another layer of comfort while making the transaction (knowing it went to the right place, that you didn't introduce a typo) to be a feature. And those that don't want it don't have to provide their names.
> The name is optional, and you can supply it to make the experience nicer. If you don't plan on using Coinbase this way, don't supply a name.
Amazon won't tell you my name. Netflix won't tell you my name. Maybe to registered third parties, but not to random unauthenticated API callers.
> Rate limiting might help a tiny bit, but you can just register multiple accounts to get around it. (And no doubt someone would do that and make a fuss about it.)
But that adds a barrier, and would give them time to notice. Your argument is the equivalent of "why have locks, all doors can be forced open". Just because security isn't perfect doesn't mean it's not worthwhile.
> Amazon won't tell you my name. Netflix won't tell you my name
If you want to sell something on Amazon, Amazon will tell other people your name. I sold some apps there to experiment with the whole process, and they attached my real name to it.
There is never a need for anyone to know your name from Netflix. However, with Coinbase, there is a need for other people to be able to recognize who they are doing a transaction with.
> However, with Coinbase, there is a need for other people to be able to recognize who they are doing a transaction with
Why is this? They are not receiving money , they are sending money. The recipient needs to know the sender but why does the sender need to know that the recipient is a registered coinbase user or what their firstname and lastname is. Why does the response json of the request_money api need to return the user's name and couldn't the email and the transaction history page be the same when you send money to a registered or non-registered email until the recipient is in some sort of address book of the sender (perhaps after a valid transaction has happened between them). I have used chase and paypal and in both cases either I have to add the recipient to the address book and fill out the email address and first and last names or just use the email address.
Fortunately or unfortunately when you play in the financial services, you are held to a higher security standard. I really like coinbase, I hope they fix this simple problem and move on instead of denying its a problem.
Amazon won't tell you my name until I make a transaction with you. If I add your item to my cart and never check out, they won't tell you anything about me.
That doesn't seem to be the case with Coinbase, they seem to give you the information when you propose a transaction.
Yes, with these newly moved goalposts, I agree, and I mentioned it earlier today: Coinbase is giving your ID not just to people you've interacted with (which makes sense) but to people who have expressed the vaguest desire to interact with you (might might not make sense).
But in the comment I was replying to was pointing out that Netflix never gives your ID to anybody, which is not a fair comparison because Netflix is in an entirely different business. Netflix customers never interact with each other. Coinbase users do interact, and identity is usually essential for interaction.
That's not moving goalposts. Amazon does not give out my information to unregistered 3rd parties who I haven't made a transaction with. Seems Coinbase does.
I chose Netflix simply because they were a large internet company. I think the idea that Coinbase is involved in transactions is a red herring here since they're giving the information out before the transactions are agreed upon by both parties.
If I proposed a Coinbase transaction with someone, I would fully expect that the other party would be told my name and possibly even my email.
1) It's possible to determine if someone has a Coinbase account (no rate limit)
2) It's possible to find out someone's name if they have a Coinbase account (no rate limit)
3) Coinbase can be used to spam people through unsolicited messages (no rate limit).
Their response basically equates to "so what, nothing's wrong". They ignored the initial reports and marked the bug as won't fix.
Someone used this vulnerability to pull a bunch of example addresses and their response is "so what, nothing's wrong, probably wasn't us".
But these are three serious issues.
1) Why should anyone be able to figure this out without being a registered application? This is especially true given #3. And the lack of rate limiting is just irresponsible.
2) Why should anyone be able to ask Coinbase what my name is? Even if they allowed that, why can you do it without being a registered user of their API? Again, the lack of rate limiting is also irresponsible.
3) I understand it's purposeful that they'll treat anyone as having an account for the purposes of on boarding, that make sense. But the ability to send emails to anyone on the internet without risking my reputation is asking for trouble. Again, this should be heavily rate limited unless you've registered with them. Anyone can sign up for an Amazon SES account, but you have to go through a few hoops before you can start sending out 500 messages a second.
These statements read like Baghdad Bob to me. We don't agree, nothing is wrong, go about your business as if nothing had happened.
If their initial response was "that's all correct, we're looking into rate limiting and maybe requiring you to register to make API calls" that would have been the end of it.
If I want to send money to someone, I should call Coinbase and they should send the request. The response to me should be "sent" or "error". Imagine if whenever I paid a bill with my credit card the return was not just "success" or "failure" but "success", "current balance", and "mother's maiden name". Disclosing that extra information is totally unnecessary.