ForexMinute.com – Popular Bitcoin wallet company Coinbase today got trolled by a small section of the Bitcoin community, when a random Reddit post posted evidence of some minor privacy bugs on their platform.
As per stated in the post, the privacy bug in Coinbase’s official website allows “user enumeration”, thus permitting hacker to obtain users’ username, real name, and an MD5 hash of the users’ email addresses. “Using a large list of email addresses and a tool like hashcat it is possible to determine the email address for many of these users. Keep in mind that the real name is user specified and may not be the user’s actual name. Many of the names I enumerated did appear to be the user’s real name though.”
In the same post, the faultfinder – a Reddit user using the alias of ‘SatoshisGhost’ – suggested users to avoid using Gravatar as it gives away the MD5 hash of the users’ email address. Litecoin founder and one of the contributors at Coinbase, Charlie Lee, also approved this suggestion and stated: “This issue is that we link to the Gravatar img from our user profile page. So if you have a huge list of email addresses, you can MD5 hash each one and check to see if it matches the hash in the Gravatar URL.”
In the end, the privacy bug does not pose much threat if users do not mention their real details in their respective email addresses and usernames. While for the rest of the cases, it seems like Coinbase and Gravatar officials should meet over a drink to discuss the issue.
To contact the reporter of the story: Yashu Gola at firstname.lastname@example.org