The Security Implications of Coinbase's Super Bowl AdSome Cybersecurity Experts Concerned About Likely New Threat Vector
Even if you missed the Super Bowl on Sunday, you could not have missed the chatter in the cybersecurity community about a particular advertisement.
The 60-second ad, paid for by cryptocurrency exchange platform Coinbase, featured a QR code that took those who scanned it to the company’s trading website. The website crashed due to the ad's popularity and subsequent high website traffic, but it got back up soon. Now, some cybersecurity experts have voiced concerns about using a vulnerable QR code on live TV.
The Coinbase SuperBowl ad. pic.twitter.com/Gp3o5DOD21— Chip – onthechain.io (@stephenchip) February 14, 2022
"The ad was so successful that within a few seconds of it appearing, the platform itself crashed," Aaron Mulgrew, senior solutions architect at cybersecurity firm Forcepoint, says.
"While the use of QR codes for legitimate purposes has really had a second wave of popularity as a result of the changes the pandemic has brought, there are also unfortunately many illegitimate uses," he says and offers as an example a malicious actor sending users to a fake phishing site that visually looks similar to the Coinbase site's real URL.
"The problem with QR codes is that you cannot visually see where the link will take you. Apple has tried to mitigate this by providing a preview to the URL, but this can be bypassed too. Malicious QR codes can also be used to auto-launch applications, or even connect to Wi-Fi networks and share passwords," Mulgrew says.
He says using QR codes in advertising is convenient for brands, but it encourages consumers to blindly trust the codes without considering what action they might set in motion if scanned. "Not all QR codes are made with honest intentions," Mulgrew says.
Twitter user Naftoli Ost, replying to a tweet from Doug Barbin, chief growth officer at cybersecurity audit firm Schellman, says that such campaigns can be dangerous since "where a link leads could be changed dynamically from one minute to the next." He also says a link can lead to different places depending on who's scanning it.
Another user, @jubjub727, says: "You can serve different content based on IP geolocation data, time, type of device, browser or whatever other method you choose. I'm not as doom and gloom about QR codes as others but this type of thing can have potential for abuse."
Kavya Pearlman, CEO and founder of cybersecurity firm XR Safety Initiative, cities a recent FBI warning that cybercriminals are increasingly tampering with QR codes to redirect victims to malicious sites to steal login and financial information. Coinbase probably missed this memo, Pearlman says.
QR codes are becoming an increasingly common part of everyday life and have been used to link the digital world with the physical, a trend accelerated by the COVID-19 pandemic, Chris Morgan, senior cyberthreat intelligence analyst at cybersecurity firm Digital Shadows, tells ISMG. “It is difficult to distinguish between a legitimate and suspicious QR, given users are typically presented with a simple set of black and white patterns," Morgan says.
With websites, users can often spot typos, branding errors or other mistakes that may identify a fraudulent site. With QR codes, even the most security-aware users will find it difficult to spot which is a fake code and which is legitimate, he says.
Morgan tells ISMG that there are security implications and risks associated with this use of QR code in an advertisement, but given the importance of the occasion and numbers of users watching worldwide, the security surrounding the commercial was likely given the highest priority.
Morgan also says that a follow-on of this commercial could lead to social engineering campaigns spoofing Coinbase. "Manually navigate to Coinbase’s website or application to verify any offers received via email or advertised via social media," Morgan says.
Vulnerability Halts Services
In a separate incident on Friday, Coinbase halted its operations due to a critical vulnerability affecting its retail advanced trading service. The bug was fixed within hours and services were reinstated, according to the timeline observed on Coinbase's support Twitter handle.
The vulnerability was brought to the cryptocurrency trading platform's attention on Friday by a white-hat hacker known as Tree of Alpha according to the timeline tracked by ISMG on the researcher's Twitter account. He called the vulnerability "potentially market-nuking" and one that required immediate attention.
Anyone here can get me a direct line with someone at @coinbase , preferably management or dev team, possibly @brian_armstrong himself?— Tree of Alpha (@Tree_of_Alpha) February 11, 2022
I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking.
The security researcher, in a follow-up tweet, says that he shared his findings with Coinbase co-founder Fred Ehrsam. Although he could not share more information on the actual bug because of the critical nature of the exploit, the researcher says he assured Ehrsam that no actual Coinbase storages - cold or otherwise - were affected.
Brian Armstrong, co-founder and CEO of Coinbase, later responded to the security researcher's tweet, confirming that its team was investigating the vulnerability reported. An hour later, Coinbase halted its retail advance trading services citing technical issues, but continued accessibility under "cancel-only" mode with existing orders. Placing new orders was not allowed. Simple trading services on Coinbase.com and Coinbase Pro were not affected.
For technical reasons, we are disabling retail advanced trading. This service will continue to be accessible, but new orders cannot be placed at this time. Existing orders are in cancel only mode.— Coinbase Support (@CoinbaseSupport) February 11, 2022
The retail advanced trading service came back online after a fix for the vulnerability was made by 6:00 p.m. ET the same day. The security researcher confirmed that the cryptocurrency trading platform had patched the exploit as he had recommended.
Advanced Trading is resumed, and I have verified that the exploit has been patched as recommended.— Tree of Alpha (@Tree_of_Alpha) February 12, 2022
Full thread on the vuln and how Coinbase's swift response avoided some serious company & market damage as soon as I'm allowed (hopefully next week).
Good weekend to all. pic.twitter.com/pguInKORwW
In a tweet, Tree of Alpha says that "no bounty has been awarded [to him], as the Coinbase team is still working to assess the full extent of the exploit." He adds: "While it is in Coinbase's best interest to not downplay this, I do not need money and did not report it for that purpose."
The security researcher and Coinbase did not respond to ISMG's request for additional details on the vulnerability and its impact on the cryptocurrency trading platform.