[abalone]

The "full, technical" report doesn't offer any new information. It just shows how to get the firstname and lastname.

The PoC does not at all demonstrate how the alleged bug could be used by phishers to their advantage.. it doesn't even show usage of the firstname or lastname! That makes it incoherent.

[infosec-au]

I don't think you understand, the PoC is not supposed to be a PoC for phishing but rather a PoC for their lack of rate limiting [1] , and user enumeration. I have showed the first name and last name [2], but have accordingly blurred them out [3] as I felt it was only appropriate.

In the technical section, I demonstrate where the first and last name would show up in the response from Coinbase. If you still think it's unclear, let me know, as reporting is something I wish to improve critically.

I appreciate the response from the Bitcoin community and the semi-fix from Coinbase they wish to implement in the future (optional masking of names on coinbase). However, I do also hope that rate limiting is implemented in the future, as I still personally consider this insecure by design.

[1] : http://i.imgur.com/nauHivq.png

[2] : http://blog.shubh.am/full-disclosure-coinbase-security/#tech...

[3] : http://i.imgur.com/l84eOi6.png and http://i.imgur.com/SDlbtty.png

[gaadd33]

How would rate limiting really solve this though? Wouldn't it just result in needing to use a botnet/spend more time harvesting?

Assuming that this is still the easiest way to harvest email/name pairs for phishing, then it seems like the time it takes isn't really a factor in the outcome since it can be parallelized and is still easier than phishing alternatives. It seems like the real answer is just to have it return the same response no matter if there is an account or not.