Coinbase Reveals Password Glitch Affecting 3,500 Customers

Crypto exchange Coinbase disclosed a potential vulnerability Friday, announcing that a tiny fraction of its customers' passwords were stored in plain text on an internal server log. However, the information was not improperly accessed by outside parties, the exchange said.

In a post-mortem shared with CoinDesk, Coinbase outlined "a password storage issue," impacting less than 3,500 customers (out of more than 30 million worldwide) that briefly resulted in personal information, including the passwords, being stored in clear text on internal logging systems.

"Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail," the post explained. "Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs."

In 3,420 instances, the potential customers used the same password on their second signup attempt, which would be successful but would result in their having a password that matches the hashed version on the company's logs. Those customers were notified by Coinbase via email on Friday.

The bug occurred due to Coinbase's use of React.js server-side rendering on the signup page. Essentially, when a user visits the page to sign up for an account, React helps display the form that needs to be filled out.

"Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly," the post explained, adding:

"In virtually all circumstances, both of these things are true, and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form."

Because the HTML form "was extremely basic," no "action" or "method" attributes were set. Due to default behaviors, this resulted in some browsers defaulting to "GET," which encoded form variables as part of the log data.

The exchange fixed the issue by switching the default form method to "POST," to ensure data is no longer logged.

While Coinbase searched for other forms "with that problematic behavior," the exchange did not identify any.

"We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future," the blog post said.

In response to the discovery, Coinbase said it tracked the various location where the logs might be stored, which included a system hosted on Amazon Web Services and some "log analysis service providers."

"A thorough review of access to these logging systems did not reveal any unauthorized access to this data," the post said, adding that access to each of the systems is "tightly restricted and audited."

Coinbase said it has also triggered password resets for any individual whose account was impacted. (The blog post added that it requires two-factor authentication on top of a password in order for users to log into accounts.)

"While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution," the post explained.

"As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems," the exchange concluded.

Coinbase's disclosure comes on the heels of Binance and Huobi suffering from actual data breaches. Unlike Coinbase, Binance and Huobi appear to have lost control of client know-your-customer data, including identity verification documents.

Brian Armstrong image via CoinDesk archives