This is a very simple demo of a small bug I found with Coinbase.com’s app configuration. From looking at their mobile app source code, it was easy to see that their OAuth application was set to return a token to http://example.com/coinbase-token and their mobile app was catching that URL and extracting the token before the external request was sent. The problem is an attacker can use the hardcoded client_id and client_secret to force a user who has added the Coinbase mobile app user to send their authentication token over a plaintext connection. This is a particular problem in a POS setting where an malicious merchant / attacker will typically have control over the Wifi network the user might be connecting to and can direct the victim to view a website / QR code and “Like Us” / “Tweet Us” to get a free cookie.
Once the attacker has captured the OAuth token. They cancontinually refresh it and only withdraw from the victim’s account when all attention will be lost from them