Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well, it's not like Coinbase should be blamed for all of it. It's a combination of their customer's poor hygiene + a flaw in Coinbase’s SMS Account Recovery process.

At least they will be reimbursed, and everyone should walk happy.



Anyone care to speculate what the flaw in their SMS recovery flow actually was? It's hard for me to think there's even a safe way to implement SMS based account recovery. They would be smarter to just turn it off.


I do not have specific answer for Coinbase. Typically, the flaw would be in modifying one of the form inputs to get the code delivered to a different phone number. That usually works out to either modifying the "destination number" client-side form value, or swapping in an edited/reused session token from a different login session's MFA challenge, to exploit missing ownership checks on the various underlying pkey object IDs.


SMS is fundamentally insecure, yes. But this sounds like a problem in the webapp that prepares and sends SMS messages, not SMS itself.


> everyone should walk happy.

The reimbursement comes from somewhere. Investors may not be happy. "everything is securities fraud"

https://www.google.com/search?q=%22everything+is+securities+...


I'm guessing their insurance didn't cover it since it related to insecure account practices. So this is likely from their own revenues.

https://help.coinbase.com/en/coinbase/other-topics/legal-pol...

I don't see the connection with your link to securities fraud though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: