This attack gave full API access over the victims account to the attacker and it would be possible to withdraw all the user’s bitcoins or even buy more bitcoins from their linked bank account.
I’d just like to thank Coinbase for running a nice bug bounty. They were very curtious and they fixed all my reported bugs within 24 hours, even over the weekend. I’m on Twitter at @DonnchaC if anyone would like to contact me.
Sourcecode for the PoC is available at https://gist.github.com/DonnchaC/5521999