Full Disclosure mailing list archives

By Date By Thread Coinbase User Enumeration From: "stephen () averagesecurityguy info" <stephen () averagesecurityguy info>

Date: Fri, 5 Dec 2014 11:49:42 -0500

Coinbase User Enumeration ========================= The Coinbase web site allows user enumeration, which would normally not be a big deal, but in this case, we are able to enumerate a users username, "real name", and an MD5 hash of the user's email address. Using a large list of email addresses and a tool like hashcat it is possible to determine the email address for many of these users. Keep in mind that the real name is user specified and may not be the user's actual name. Many of the names I enumerated did appear to be the user's real name though. Data Gathering -------------- If you send a GET request to https://www.coinbase.com/<username> you will get either a 200 response if the username is valid or a 404 response if the username is not valid. If you get a 200 message the response will contain the user's real name and an MD5 hash of the user's email address. The MD5 hash is a part of the Gravatar link used to show the user's avatar. Coinbase calculates the Gravatar link and includes it for every user, whether they have a Gravatar account or not and whether or not they have chosen to associate a Gravatar account with their Coinbase account. The following Python regular expressions can be used to gather the real name and the MD5 hash of the email address. r'meta content="(.*?) is accepting' r'/avatar/(.*?)\.png' Attached is a Python script, cb_enumerate.py, that will take a word list, enumerate valid users, and store the enumerated username, real name, and email hash in a database. Finding Email Addresses ----------------------- To crack the MD5 hashes, I first generated a list of potential usernames using the enumerated usernames and various combinations of the real names. I generated a second set of usernames using a list of most popular first and last names. I then used the Alexa top 1000 domain names and a Python script to generate candidate email addresses. Finally, I used another Python script to calculate the MD5 hash for each candidate email address and update the database with the actual email address if the hash is present. This was a very slow process. It would be better to use a tool like Hashcat or oclHashcat to do the email cracking for you and then take the list of matching email addresses generated by Hashcat and feed it to the cb_findemail.py script that is attached. Results ------- I was able to enumerate 2465 Coinbase accounts and was able to recover the email address for over 500 of those accounts. Fixing The Problem ------------------ I don't think there is much you can do to fix the enumeration problem. You could rate limit enumeration attempts coming from a single IP address but an attacker could use multiple IP addresses to get around the rate limiting. The email address enumeration can definitely be prevented by not including the Gravatar link on an account unless the user specifically requests it. Thanks, AverageSecurityGuy Attachment: cb_enumerate.py

Description: Attachment: cb_findemail.py

Description: Attachment: signature.asc

Description: Message signed with OpenPGP using GPGMail _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Coinbase User Enumeration stephen () averagesecurityguy info (Dec 08)