Despite the ridicule that modern tech companies face at potentially storing passwords in plain text, despite better intentions, company-side mistakes can still lead to security vulnerabilities.
On August 16th, a blog post from Coinbase detailed a bug in their internal server logs, leaving the potential to have user passwords harvested from internal logs. The bug was reportedly found internally by the Coinbase team.
As described in the blog post, the Coinbase website would occasionally fail to load properly when a new account was being registered. This resulted in an unsuccessful registration for the end user, meaning that the unsuccessful attempt was recorded in server logs as plain text. However, if a user refresh This resulted in an unsuccessful registration for the end user, meaning that the unsuccessful attempt was recorded in server logs as plain text ed the page and attempted to register with the same password a second time, the password would be successfully hashed and would match the hash in the unsuccessful attempt. This means that any individual with access to Coinbase server logs could harvest users’ credentials for malicious purposes.
Coinbase further noted that device verification emails and mandatory two factor authentication (2FA) would have been triggered should a password have been used; however, the company is either willfully declining or forgetting to mention the cybersecurity issue of password reuse. Affected customers who had attempted to register with the same password as their email address would have been more susceptible to a personal attack, increasing the severity of the glitch.
Coinbase assured that no information was accessed by third parties, and contacted users affected urging them to change their passwords as a precaution.
As those affected make up a mere infinitesimal fraction of Coinbase users, the glitch is not considered to be consequential. Despite this, the bug indeed serves as a caution to companies handling sensitive credentials. Though the credentials themselves may be secure, the information captured by the end user must be examined with the utmost scrutiny to ensure nothing is scooped up in the registration process.