Coinbase User Enumeration

["stephen () averagesecurityguy info" <stephen () averagesecurityguy info>]

Coinbase User Enumeration
=========================
The Coinbase web site allows user enumeration, which would normally not be a big deal, but in this case, we are able to 
enumerate a users username, "real name", and an MD5 hash of the user's email address. Using a large list of email 
addresses and a tool like hashcat it is possible to determine the email address for many of these users. Keep in mind 
that the real name is user specified and may not be the user's actual name. Many of the names I enumerated did appear 
to be the user's real name though.


Data Gathering
--------------
If you send a GET request to https://www.coinbase.com/<username> you will get either a 200 response if the username is 
valid or a 404 response if the username is not valid. If you get a 200 message the response will contain the user's 
real name and an MD5 hash of the user's email address. The MD5 hash is a part of the Gravatar link used to show the 
user's avatar. Coinbase calculates the Gravatar link and includes it for every user, whether they have a Gravatar 
account or not and whether or not they have chosen to associate a Gravatar account with their Coinbase account.

The following Python regular expressions can be used to gather the real name and the MD5 hash of the email address.

r'meta content="(.*?) is accepting'
r'/avatar/(.*?)\.png'

Attached is a Python script, cb_enumerate.py, that will take a word list, enumerate valid users, and store the 
enumerated username, real name, and email hash in a database.


Finding Email Addresses
-----------------------
To crack the MD5 hashes, I first generated a list of potential usernames using the enumerated usernames and various 
combinations of the real names. I generated a second set of usernames using a list of most popular first and last 
names. I then used the Alexa top 1000 domain names and a Python script to generate candidate email addresses. Finally, 
I used another Python script to calculate the MD5 hash for each candidate email address and update the database with 
the actual email address if the hash is present. This was a very slow process.

It would be better to use a tool like Hashcat or oclHashcat to do the email cracking for you and then take the list of 
matching email addresses generated by Hashcat and feed it to the cb_findemail.py script that is attached.


Results
-------
I was able to enumerate 2465 Coinbase accounts and was able to recover the email address for over 500 of those accounts.


Fixing The Problem
------------------
I don't think there is much you can do to fix the enumeration problem. You could rate limit enumeration attempts coming 
from a single IP address but an attacker could use multiple IP addresses to get around the rate limiting. The email 
address enumeration can definitely be prevented by not including the Gravatar link on an account unless the user 
specifically requests it.

Thanks,

AverageSecurityGuy

Attachment: cb_enumerate.py
Description:

Attachment: cb_findemail.py
Description:

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/