The HipChat notifications go off at a fixed time (9AM and 9PM UTC) every day, however in the future I may add a feature to let people set the time the bot posts.
Disclaimer: I'm the author of this. The source code for most of it can be found on github [1] and the motivation behind building it is documented on my blog [2].
I'm happy to answer questions and take any feedback :)
Thanks all.
You're reading the Proof of Concept, which is meant to be a practical demonstration of how once could use the bug to their advantage. I didn't document the proof of concept in detail, to ensure that others couldn't easily use the blog post as a guide to harvesting Coinbase emails.
The "full, technical" report doesn't offer any new information. It just shows how to get the firstname and lastname.
The PoC does not at all demonstrate how the alleged bug could be used by phishers to their advantage.. it doesn't even show usage of the firstname or lastname! That makes it incoherent.
I don't think you understand, the PoC is not supposed to be a PoC for phishing but rather a PoC for their lack of rate limiting [1] , and user enumeration. I have showed the first name and last name [2], but have accordingly blurred them out [3] as I felt it was only appropriate.
In the technical section, I demonstrate where the first and last name would show up in the response from Coinbase. If you still think it's unclear, let me know, as reporting is something I wish to improve critically.
I appreciate the response from the Bitcoin community and the semi-fix from Coinbase they wish to implement in the future (optional masking of names on coinbase). However, I do also hope that rate limiting is implemented in the future, as I still personally consider this insecure by design.
How would rate limiting really solve this though? Wouldn't it just result in needing to use a botnet/spend more time harvesting?
Assuming that this is still the easiest way to harvest email/name pairs for phishing, then it seems like the time it takes isn't really a factor in the outcome since it can be parallelized and is still easier than phishing alternatives. It seems like the real answer is just to have it return the same response no matter if there is an account or not.
Hey, I'm the author of this blog post. I think you're mistaken, I didn't send any phishing emails to anyone. All the emails were sent through coinbase via their request money featurein which I am trying to get them to fix. All emails to you were from Coinbase legitimately and none of them are phishing for your credentials. The lack of rate limiting on the api which allows for money requests is hence very dangerous.
The HipChat notifications go off at a fixed time (9AM and 9PM UTC) every day, however in the future I may add a feature to let people set the time the bot posts.