Hacker News new | past | comments | ask | show | jobs | submit login

I haven't really lost my trust in Coinbase due to this issue but I do find it annoying the way they are handling it so far.

Almost any site that has a password reset can be used to verify whether an email account exists in that system - depending if the system tells you "no user with that username exists" or not. Coinbase is in no way unique with the amount of info they expose, which is the point they were trying to make on their "official" response.

I would have liked to see them announce that the API does have some sort of throttle and maybe they are going to think of ways to enable an option for this behavior or something - basically anything except to just dismiss it. Because even though I personally agree with them as far as the level of vulnerability - a lot of people don't and Coinbase doesn't seem to understand this perception problem.




It is certainly possible to allow for password resets and account creation as well without revealing whether an account exists.

Password reset:

1. User enters email in password reset form.

2. Website shows the same message whether the password was reset or not.

3. Email is what differs. If the account exists, send a password reset link. If it does not, send an email asking them if they want to create an account (and offer an unsubscribe link so people can't spam signup emails).

Signup:

1. User enters email in signup form.

2. Website states it is sending an email to verify the account.

3. If it already exists, send a message saying they already have an account. If not, send the normal email verification link and then they can complete filling in their account details.

This prevent someone without access to the email from finding that the account exists, and also keeps the owner of the email filled in if they just forgot which email they used for the account or that they already had an account.


I agree 100% this is the right way to do it. And it's really not any more difficult to implement.

The problem is the convenience tradeoff. Take a site that has an instant green/red indicator that a username is already taken. People love the instant feedback, but it creates an attack vector. If you had to wait around for an email to see if you had already signed up - I bet a "Show HN" would have people here telling you that your site was user hostile! Even though it is unquestionably more secure.

I do think what Coinbase is doing now is not out of line with standard practices. But for a financial site they might be wise to start erring in the direction of security at the expense of a little convenience.


Yes, this is the right workflow, but, you'll be surprised how very few services implement this properly! Another thing that most services don't implement is providing geolocation and other pieces of info in password reset emails and the ability to report that you didn't request that with some basic flagging (even as simple as flagging that session), which would prevent that guy of keep resetting it. The ability to add login email notification is also priceless.


I see your point, but keep in mind that Coinbase deals with money.

I don't think many banks (if any) will let you do a password reset based on your email address, they would use your credit card/account number as identifier of some sort not tied in to their authentication system or system that can be hacked (ie: email).

Them comparing a financial service API that deals with money to Google+ or Facebook should tell you as much.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: