Popular Bitcoin exchange Coinbase has several security flaws in their Android wallet and Coinbase Merchant applications, but the company is refusing to fix the errors, a Canadian software engineer claims.
Bryan Stern, an Android application developer in Vancouver for social media dashboard Hootsuite, said he first contacted Coinbase in March about the security problems in the Android versions of the two applications. Stern said the errors, found in key security and SSL certificate verification, could give hackers access to victims’ full accounts.
Coinbase, however, does not regard the issues as a problem and has not taken any steps to fix them, the engineer said.
“Sadly, [Coinbase] disagreed with the security issues I brought to their attention,” Stern wrote in a post detailing the alleged flaws on GitHub. Stern added:
“Fortunately, these issues are very easy to resolve and I have strongly urged them to do so. I am disclosing them here to alert the public of these security risks and so their users can take necessary action to protect their money.”
One problem lies in the fact that Coinbase does not require its clients to validate the SSL certificate of its Android appliations, leaving an opportunity for hackers to present a spoofed one, Stern said.
He also wrote that the company has failed to properly protect their applications’ API client_id and client_secret, saying the information was published in source code on GitHub.
The flaws together could let attackers compromise the user’s SSL connection and gain full control of their account by stealing the access token, Stern said.
Staff at Coinbase, however, first ignored his attempts to alert them of the problems and then declined to fix them after a brief investigation, he wrote.
As of now, “SSL Pinning and OAuth2 request authenitication [are] still not implemented on Version 2.2 of Coinbase’s app, the latest version of the app,” Stern concluded.
He recommended that users of the Coinbase Android apps discontinue use until the company fix the issues.
A Coinbase representative publicly responded to Stern’s assertions on Reddit, concluding that the issues did not constitute an urgent threat to users. The client_ID and client_secret tokens were not designed in the Coinbase Android app to be a secret and a hacker gaining access to them would not yield him any special permissions, the representative, who identified himself as Ryan, said.
Ryan agreed that SSL pinning to ensure valid SSL certificates was a worthwhile fix, but a low security priority. “We’ve been working on bigger wins like Device Verification in the meantime, which has done great things against phishing attacks, which has been a much more frequent and probable threat compared to total CA compromises,” he wrote.
Stern continued to argue Ryan’s points throughout the Reddit threat, saying that the client ID and secret tokens could be used to gain access to a user’s account.
“Client_ID and Client_Secret (in our app and by our design) are not even considered a line of defense…they’re useless in any attack,” Ryan responded. “If you can create a proof of concept that proves otherwise, I have a bounty waiting for you,” - a challenge that Stern accepted.
Read the full Reddit thread here.