Bug Bounty: OAuth2 vulnerability on Coinbase.com

In this video

This is a demo of a PoC I wrote exploiting a bug in Coinbase.com’s OAuth implementation. It was possible to retrieve the OAuth app authorization form as one user and forward it (along with the CSRF token’s etc) to the victim, with Javascript to autosubmit the form. Coinbase was not confirming the form was generated by the victim and so it was possible for an attacker to authorize their malicious app on the users account without their confirmation. All the victim was required to do was view a webpage.

This attack gave full API access over the victims account to the attacker and it would be possible to withdraw all the user’s bitcoins or even buy more bitcoins from their linked bank account.

I’d just like to thank Coinbase for running a nice bug bounty. They were very curtious and they fixed all my reported bugs within 24 hours, even over the weekend. I’m on Twitter at @DonnchaC if anyone would like to contact me.

Sourcecode for the PoC is available at https://gist.github.com/DonnchaC/5521999

You might be interested in

LEAVE YOUR COMMENT

Your email address will not be published. Required fields are marked *