lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <AA318DEC-8B23-414A-91B3-EF76D671F8B6@averagesecurityguy.info>
Date: Fri, 5 Dec 2014 11:49:42 -0500
From: "stephen@...ragesecurityguy.info" <stephen@...ragesecurityguy.info>
To: fulldisclosure@...lists.org
Subject: [FD] Coinbase User Enumeration

Coinbase User Enumeration
=========================
The Coinbase web site allows user enumeration, which would normally not be a big deal, but in this case, we are able to enumerate a users username, "real name", and an MD5 hash of the user's email address. Using a large list of email addresses and a tool like hashcat it is possible to determine the email address for many of these users. Keep in mind that the real name is user specified and may not be the user's actual name. Many of the names I enumerated did appear to be the user's real name though.


Data Gathering
--------------
If you send a GET request to https://www.coinbase.com/<username> you will get either a 200 response if the username is valid or a 404 response if the username is not valid. If you get a 200 message the response will contain the user's real name and an MD5 hash of the user's email address. The MD5 hash is a part of the Gravatar link used to show the user's avatar. Coinbase calculates the Gravatar link and includes it for every user, whether they have a Gravatar account or not and whether or not they have chosen to associate a Gravatar account with their Coinbase account.

The following Python regular expressions can be used to gather the real name and the MD5 hash of the email address.

r'meta content="(.*?) is accepting'
r'/avatar/(.*?)\.png'

Attached is a Python script, cb_enumerate.py, that will take a word list, enumerate valid users, and store the enumerated username, real name, and email hash in a database.


Finding Email Addresses
-----------------------
To crack the MD5 hashes, I first generated a list of potential usernames using the enumerated usernames and various combinations of the real names. I generated a second set of usernames using a list of most popular first and last names. I then used the Alexa top 1000 domain names and a Python script to generate candidate email addresses. Finally, I used another Python script to calculate the MD5 hash for each candidate email address and update the database with the actual email address if the hash is present. This was a very slow process.

It would be better to use a tool like Hashcat or oclHashcat to do the email cracking for you and then take the list of matching email addresses generated by Hashcat and feed it to the cb_findemail.py script that is attached.


Results
-------
I was able to enumerate 2465 Coinbase accounts and was able to recover the email address for over 500 of those accounts.


Fixing The Problem
------------------
I don't think there is much you can do to fix the enumeration problem. You could rate limit enumeration attempts coming from a single IP address but an attacker could use multiple IP addresses to get around the rate limiting. The email address enumeration can definitely be prevented by not including the Gravatar link on an account unless the user specifically requests it.

Thanks,

AverageSecurityGuy

View attachment "cb_enumerate.py" of type "text/x-python-script" (1527 bytes)

View attachment "cb_findemail.py" of type "text/x-python-script" (1145 bytes)




Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ