Hacker News new | ask | show | jobs
by homakov 4463 days ago
There's another bug when you can substitute coinbase's iframe with your own, when you use coinbase button. This iframe can ask for username / password, and there's no way for user to distinguish fake iframe from real. They also not into replying emails on their whitehat@ address.
5 comments
MichaelGG 4463 days ago
>substitute coinbase's iframe with your own, when you use coinbase button

How would they go about fixing that? Verified by Visa is the same - you get redirected to some random domain "arcot.com"?. There's a verification code, but that's viewable by anyone that has your credit card (including the site operator where you just input your CC number).

Wouldn't Coinbase need to fully redirect to their own domain, or popup a window with the URL visible in order for users to know they're really dealing with Coinbase?

link
homakov 4463 days ago
>Wouldn't Coinbase need to fully redirect to their own domain, or popup a window with the URL visible in order for users to know they're really dealing with Coinbase?

Yes, of course

link
sillysaurus3 4463 days ago
I'm surprised that even homakov's emails are going unanswered.
link
jessieplk 4463 days ago
+ there was another bug (or "feature") that allowed all access to all funds via API access key.

Sure, the user needs to allow the permissions first, but the warning where disproportionate to the power it gave away.

They've disabled this kind of access since though.

http://www.theverge.com/2014/2/7/5386222/a-string-of-thefts-...

link
dobbsbob 4463 days ago
That was an old trick used by Liberty Reserve scammers too who would social engineer you to activate the API then clean out your wallets.
link
pbreit 4463 days ago
Sounds more like a design decision. Do you have any suggestions besides not using iframes?
link
homakov 4463 days ago
No, since there's no way to check iframe's domain I don't think it can be fixed for iframes.

They should stop asking for user's password right there, because it makes people trust any iframe

link
fatbat 4463 days ago
Maybe they can force login via their main site first. Lousier user experience though.
link
moe 4462 days ago
Lousy user experience is not being able to verify what site I'm about to enter my payment credentials into.
link
pbreit 4462 days ago
It would be a terrific experience if there was no reason to worry.
link
mag00 4463 days ago
https://hackerone.com/coinbase
link