Think disabling JavaScript makes you more secure? Think again

Cryptocurrency exchange Coinbase has released a post-mortem on a password storage issue that resulted in the login credentials of 3,420 customers being stored in plain text within an internal log.

A bug in Coinbase’s sign-up page meant the names, email address, and (clear text) passwords of some would-be users were saved in web server logs.

Customers who had disabled JavaScript – a security precaution largely restricted to the paranoid that has the severe downside of making it impractical to use many websites – were, somewhat ironically, the only ones exposed.

Coinbase was presenting JavaScript refuseniks with partially rendered forms, the results of which were sent to internal error logs.

“If a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form,” Coinbase explains.

Access to the logs was restricted, but the content they held wasn’t encrypted.

“While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution,” Coinbase explained in a post-mortem on Friday.

“We have an internal logging system hosted in AWS, as well as a small number of log analysis service providers. Access to all of these systems is tightly restricted and audited. A thorough review of access to these logging systems did not reveal any unauthorized access to this data,” it added.

Coinbase has triggered a password reset for impacted customers.

A password alone is insufficient by itself access Coinbase accounts, which are safeguarded by mandatory two-factor authentication (2FA) and additional security controls. The password reset is nonetheless a sensible precaution.

Coinbase has an active bug bounty program, which has paid out $250,000 to date, according to the firm. This particular problem was found internally.

Attacks on crypto-exchanges are far from infrequent, a factor that has prompted security advocates to advice against leaving coins on exchanges.

Website bugs that result in plain text versions of user passwords getting stored somewhere internally on error debugging or similar systems are rare but not unprecedented.

For example, Twitter told users of its social media site to reset their passwords following the discovery of this type of bug in May 2018.

This class of security slip-up is distinct from the many sites that consciously store user passwords in plain text.


YOU MIGHT ALSO LIKE New OSINT technique exploits password reset process to obtain users’ phone numbers