Email Disclsoure in Coinbase – Bug Bounty POC
Hey Bug Bounty POC viewers,hope you are alright, its been a while some one posted an PoC on the bugbountypoc.So today i will be sharing my find in coinbase few days back. Guys its not an top notch find but the main reason behind sharing this is to encourage beginners and to develop an sense of methodology in their. The main thing is how good your observation is. So lets come to the issue. Back in March i recieved an bounty in coinbase, i usually use the coinbase app on android so an strange thing caught my eye. As you can see in the screenshot below, when bitcoins are received it shown like “Received Bitcoin from Hackerone” But back in march when it was not patched it showed something like this on the app.
“Received Bitcoins from Bounties@hackerone.com”
So the email of sender was being disclosed. First i think that it was by design but then i decided to give it a try. After a day the cruel guy which i guess he is in lot of Teams named “ttoko” closed the report, saying it was not an security related issue. Find the screenshot below. I just didn’t knew what to comment so i just left that out. So on 17th April i was again hunting coinbase for some bugs so i was just navigating to the settings panel and one thing just caught me eye, saying
” Your email is not shown to others ”
I quickly opened the closed report and posted an comment on the report.
I guess i don’t have to write the whole conversation so have a look on screenshots below.
In the end i would like to say just work with your full active mind and dont underestimate yourself. I hope you liked this one.
Coinbase Bounty :