Sophos Cloud Optix
The popular Bitcoin wallet Coinbase has a weakness in its Android app that could allow an attacker to steal authentication codes and access users’ accounts, according to a security researcher.
Although the flaw in the way Coinbase’s apps handle SSL (HTTPS) certificates was disclosed to the company by researcher Bryan Stern through the company’s bug bounty program, the issue has not been resolved.
After several months of back and forth with Coinbase, Stern went public with his findings and wrote them up on his GitHub blog on 27 June 2014.
Coinbase paid Stern $100 through the company’s bug bounty program and marked the bug status as “Won’t fix (closed)”.
As Stern put it:
With a compromised SSL connection, an attacker could gain full control of a user's account by stealing their access token. An attacker could also intercept a request to send bitcoins and change both the amount and destination address.
Stern’s concerns may be a little over-the-top, because it seems that Coinbase’s Android app does check that the TLS certificate presented when it connects to a Coinbase server is valid, and signed by a recognised Certifcate Authority (CA).
However, HTTPS clients for financial apps can take additional steps to cross-check, or “pin”, the TLS certificates issued by their own servers.
Performing additional checks on your own TLS certificates (such as verifying the certificates against an allowlist, or requiring that they be signed by a specific CA) makes it harder for crooks to use fraudulently acquired certificates – even if they persuade a compliant CA to sign a certificate in your name, it is unlikely to pass your secondary checks.
→ If you are a non-resident who has entered the USA in the past few years, you will know that immigration officials not only check that you have an apparently valid passport issued by your country, but also that your fingerprints don’t flag you up against a database held by their country. Whether you approve of this fingerprinting process or not, it does provide an extra later of protection against fraudulently issued passports, rather than merely checking for passports that are being used fraudulently.
Crooks have previously targeted Coinbase users with phishing, although the example we saw wasn’t too convincing – the thieves didn’t have an HTTPS certificate, fraudulent or otherwise, so their phony site didn’t have an HTTPS address.
Should you use digital wallets and mobile banking apps?
In January 2014, we wrote about a research project carried out by Ariel Sanchez of security assesment company IOActive.
Sanchez looked at 40 different iOS banking apps used by 60 different banks in about 20 different countries, and found that 40% of them made HTTPS connections without validating the certificates at all, making those apps dangerously vulnerable to Man in the Middle (MitM) attacks.
In 2013, the cryptographic verification code at the core of Google’s Android operating system was found to have three different bugs that allowed modified apps to masquerade as legitimate, signed apps from a trusted vendor.
And in June 2014, we wondered aloud why Apple’s latest security updates patched nearly 30 remote code execution holes in Safari for iOS, but only 10 holes in Safari for OS X.
It does look as though security in mobile apps is lagging behind what we have come to expect on our desktop and laptop operating systems.
Our advice:
- Avoid using mobile apps for financial transactions.
- To conduct online banking, use a decently-protected desktop or laptop and a mainstream browser. Make sure your bank uses HTTPS to encrypt your connection.
- Consider adopting two-factor authentication (2FA) on any online services that offer it in your country.
- If you need to use mobile banking apps, consider using the VPN from Sophos UTM Home Edition. It will encrypt your traffic when you are using public Wi-Fi and other untrusted networks, and route it back through your own network, making it harder for crooks to perform a man-in-the-middle attack. And it’s completely free.
Image of mobile and bitcoins and Coinbase logo coins courtesy of Shutterstock.
Note. Article updated at 2014-07-05T20:30Z in response to comments about the severity of this flaw. (See comments below.)
It’s worth noting that Coinbase *do* validate the SSL certificates, but they’re not pinning them. What this means is a trivially self-signed certificate won’t work, but if you create your own CA and install the CA certificate into the trusted root store on your device then it will work. Alternatively if you’re a CA then you can just issue a valid certificate for coinbase’s API’s domain and you’re away.
This is nowhere near the major security snafu that it would be if they didn’t validate certificates at all.
It also means that you have the same security as you would do using a web browser on your phone or on a desktop machine (in terms of SSL), as opposed to reduced security as the article seems to imply.
Thanks for the comment..we’ve updated the article accordingly.
The certificates are validated, an attacker would need to get a certificate signed by one of the many root certificates included on android.
Sure this is not ideal, but this is the exact same situation when you login to any website normally using a web browser, including your internet banking platform and also the coinbase main website.
Why beat up on the android application?
Thanks, and point taken…we’ve updated the article.