The US cryptocurrency exchange Coinbase reported that it discovered a vulnerability due to which part of the passwords of its clients was stored in plain text in the server’s internal log.
The exchange said that this information was not available to external parties. Coinbase talked about the “password storage problem” in her blog, which affected some 3,500 customers. The vulnerability led to the fact that the personal information of users, including passwords, was stored in clear text in the logging system on the internal server of the exchange.
“With a very specific and rare error condition, the form on our registration page did not load correctly. This meant that any attempt to create a new Coinbase account under these conditions was unsuccessful. Unfortunately, this also meant that the person’s name, email address and password were sent to our internal magazines, ”the exchange said.
In 3,420 cases, potential customers used the same password during the second registration attempt, which turned out to be successful. Thus, the password used by them coincided with the password stored in the company logs. These customers received an email from Coinbase.
The error occurred due to the use of Coinbase visualization on the server side of React.js on the registration page. When a user visited the page to register an account, React helped to display the form that needed to be filled out. The exchange said:
Because the HTML form was “basic,” no action or method attributes were specified. This led some browsers to set the GET parameter by default, which encoded variable form values as part of the log data. The exchange fixed the problem by switching the default form method to POST to ensure that data is no longer logged.
“We are also introducing additional mechanisms to detect and prevent the inadvertent occurrence of this kind of error in the future,” the blog post said.
Coinbase also tracked where logs could be stored, including a system hosted on Amazon Web Services, and some “log analysis providers.” “A thorough analysis of access to these registration systems did not reveal unauthorized access to data,” the exchange said, noting that access to each of the systems was “strictly limited and audited.”
Coinbase also initiated a password reset for any person whose account was affected by this error. “Although we are sure that we corrected the root cause and the information was not used inappropriately and was not compromised, we require that these customers change their passwords as a precaution,” the statement said.
The leak of data from users of cryptocurrency exchanges is not a rare situation. Binance recently denied rumors about user data leakage, and on the darknet, they started selling alleged Huobi user data.