Coinbase admitted a flaw in its security systems on Friday and declared that around 1 percent of its total users may need to change their passwords. This “password storage issue,” resulted in passwords being stored in clear text format on various internal logging systems. However, Coinbase added that the issue has not resulted in any information being improperly accessed by outside parties.
In a postmortem report, the exchange mentioned that, “Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail.”
Around 3500 customers out of the total number of 30 million were alerted by Coinbase through emails and password reset actions were triggered. The bug was a result of Coinbase’s use of React.js for validating and submitting the data submitted through a login page. For any user trying to sign up in an account, React displays the necessary form when Java script is enabled and loaded correctly.
For users who have Java script disabled or those receiving a React.js error, the pre-rendered HTML which “was extremely basic,” was used at times to fill out and submit the data. This resulted in some browsers defaulting to “GET”, encoding form variables as part of the log data. The bug was fixed by the exchange by changing the default form method to “POST,” which ensures that data is no longer logged.
“We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future,” the exchange said. It also did a thorough search to confirm that there was no other form of the bug in the system.
“While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution,” the post further explained.
Recently, Binance and Huobi also suffered from similar breaches of data. The personal information of many users, related to KYC, in Binance, were spread through a Telegram chat. In case of Huobi, the user information allegedly surfaced in some dark web markets, even though the exchange denied any security breach from their end.
Unlike the other two, Coinbase appeared to be in better control over the situation and took corrective measures in time. “ ..We welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems,” the exchange added in its report.