Coinbase Fixes Vulnerable API that Let You Sell Bitcoin You Didn’t Own – Security Boulevard

The Home of the Security Bloggers Network
Home » Security Bloggers Network » Coinbase Fixes Vulnerable API that Let You Sell Bitcoin You Didn’t Own
On Friday, February 11th 2022, a security researcher (Tree_of_Alpha on Twitter) discovered a flaw in Coinbase’s new Advanced Trading feature that allowed users to sell cryptocurrencies without owning them. According to the Coinbase blog, the flaw was resolved in a matter of hours without any malicious exploitation. And Coinbase paid Tree of Alpha the largest-ever bug bounty of $250,000.
Let’s get the details straight from the researcher. Tree of Alpha outlined how they discovered the security flaw in a series of tweets:
Coinbase’s “largest-ever bug bounty”
How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis.
Bounty: $250,000
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like.
I put an ETH-EUR order from the UI, and grabbed the request that was sent.
I noticed the API needs product, source and target account ids.
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet).
Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC.
Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
For my last test before reporting this to make sure, I:
-send 9M SHIB to my Coinbase account
-change source account id to my SHIB account on Coinbase
-put a 50 BTC limit sell order using 50 SHIB
-ask people around me if they are, too, seeing it.
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing:
-you just put a 50 BTC limit sell order using 50 SHIB.
-everyone else can see it.
5 minutes later, I was sending this initial tweet.
— Tree of Alpha (@Tree_of_Alpha)
February 19, 2022
Unfortunately, security issues like this are fairly common, especially with APIs. Many businesses are experiencing a surge in API usage because they are releasing new features (like in the example of Coinbase), modernizing applications, migrating to the cloud, conducting M&A, and connecting to rich partner ecosystems — all of which mean more and more APIs.
One of the biggest challenges around securing APIs is discovery. Enterprises don’t know how many APIs they have, but API discovery is so much more than a number. If you don’t even know how many APIs you have, you don’t know if your APIs have been properly tested or configured. Which APIs are internet facing? Which APIs are communicating sensitive information? These blind spots are where attackers thrive.
One of the properties of API vulnerabilities that makes them so dangerous is how easy it is for a threat actor to identify and exploit these vulnerabilities. To remotely compromise a device (like a laptop or mobile phone) often requires a significant amount of time, resources, and expertise. In contrast, performing unauthorized, unintended transactions using a financial institution’s APIs may not require more than 10 minutes, a browser, and a curious researcher.
The first generation of API security tools are reactionary. They simply monitor traffic to look for threats. However, misconfigurations and design flaws often can’t be detected by these tools. When a traffic monitoring tool does recognize unusual patterns, they are reacting to the symptom. The attack has already occurred or is actively occurring, but the tool is blind to what the configuration or design flaw the attackers are exploiting.
This is why bug bounties continue to be a critical tool in the security landscape. The Coinbase bounty is the largest and most recent, but there has been a long history of security researchers helping enterprises identifying significant threats to their APIs, like Sam Curry’s Hacking Starbucks. Enterprises incentivize security researchers to proactively identify problems in production before they are exploited by attackers. 
Identifying API security vulnerabilities as part of the SDLC — before production — is more critical than ever. Noname Security combines “Shift Left” API testing features paired with the industry’s most advanced posture management and runtime security capabilities. Noname is the only solution to proactively secure your environment from API security vulnerabilities, misconfigurations, and design flaws while providing automated detection and response to API attacks.
Learn more about how common API vulnerabilities are in the financial services industry by downloading white paper Hacking Banks and Cryptocurrency Exchanges Through Their APIs by Alissa Knight.

*** This is a Security Bloggers Network syndicated blog from Noname API Security Blog authored by Aner Morag. Read the original post at:

More Webinars
Security Boulevard Logo White