Hacker News new | past | comments | ask | show | jobs | submit login

There's another bug when you can substitute coinbase's iframe with your own, when you use coinbase button. This iframe can ask for username / password, and there's no way for user to distinguish fake iframe from real. They also not into replying emails on their whitehat@ address.



>substitute coinbase's iframe with your own, when you use coinbase button

How would they go about fixing that? Verified by Visa is the same - you get redirected to some random domain "arcot.com"?. There's a verification code, but that's viewable by anyone that has your credit card (including the site operator where you just input your CC number).

Wouldn't Coinbase need to fully redirect to their own domain, or popup a window with the URL visible in order for users to know they're really dealing with Coinbase?


>Wouldn't Coinbase need to fully redirect to their own domain, or popup a window with the URL visible in order for users to know they're really dealing with Coinbase?

Yes, of course


I'm surprised that even homakov's emails are going unanswered.


+ there was another bug (or "feature") that allowed all access to all funds via API access key.

Sure, the user needs to allow the permissions first, but the warning where disproportionate to the power it gave away.

They've disabled this kind of access since though.

http://www.theverge.com/2014/2/7/5386222/a-string-of-thefts-...


That was an old trick used by Liberty Reserve scammers too who would social engineer you to activate the API then clean out your wallets.


Sounds more like a design decision. Do you have any suggestions besides not using iframes?


No, since there's no way to check iframe's domain I don't think it can be fixed for iframes.

They should stop asking for user's password right there, because it makes people trust any iframe


Maybe they can force login via their main site first. Lousier user experience though.


Lousy user experience is not being able to verify what site I'm about to enter my payment credentials into.


It would be a terrific experience if there was no reason to worry.





Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: