Massive Security Breach at Paybase

Google+ Pinterest LinkedIn Tumblr +

Last updated on October 13th, 2017 at 06:21 pm

This morning Coin Fire is learning of a major and massive security breach that happened on GAW Miner’s Paybase product.

The breach is just another stumble in a long list of issues this past week with GAW Miners after Amazon spokespeople told Coin Fire they were not working with the company to implement Paycoin shopping.

Leaked Information

Late last night Paybase was rolled out with much fanfare from Josh Garza and the supporters of the new alt coin PayCoin. A few short hours after rolling out the site a massive security breach was found by users of Bitcoin Talk that would allow users not logged in to visit a URL and essentially be logged in as another valid and registered user of the site.

Users accessing the site via this URL were able to obtain account information about users of Paybase including the current balance, email address and other profile information. While the security breach does not seem to have let those visiting the URL the ability to withdraw funds it did give the attackers the ability to secure large troves of data about Paybase users.

Leaked Information

Coin Fire was provided information detailing the breach and was able to confirm independently that the user information being provided was in fact real. After having spoken with several account holders from the list about the accounts they own on Paybase Coin Fire was able to confirm that information was being leaked.

Further Leaked Information

Several users took to the Hashtalk forums to report the security breach but all posts about it were immediately deleted and the problem persisted for over eight hours before the site was taken offline. The company claimed publicly the downtime was due to issues with CloudFlare but upon the site coming back online the security flaw had seemed to be closed.

Having taken more than eight hours to respond to the security issue could result in a massive security issue for those who have trusted Paybase. While account balances seem to be secure hackers have been able to get exact account balances, email addresses and other relevant information that could theoretically be used for blackmail or extortion purposes.

The Paybase homepage now boasts,

The funds you deposit into your wallet are protected by the same protection used by the CIA and all major banks.

It would seem that the security hole has now been closed but many doubts about the service’s security now stay after the long period it remained opened.

Coin Fire

Coin Fire is a cryptocurrency news site started on June 6th of 2014. The site focused on hard-hitting investigative stories. Coin Fire was acquired by 99Bitcoins on October 2015.
Share.

Leave a Reply

27 Comments on "Massive Security Breach at Paybase"

Notify of
avatar
 
Sort by:   newest | oldest | most voted
ahs
Guest
Member
ahs

I reported nearly the same security flaw in ZenCloud back in September. GAW fixed it and Josh Garza personally thanked me (without so much as offering a free Hashlet) — now to see this reoccur is just sad. This does not bode well for GAW’s lesson learning abilities.

hotd
Guest
Member
hotd

I read the CCN article with a quick interview with Joe Mordica. How can this guy be a CTO? I see finger pointing because Paybase presented pages as static content and did not set any no-cache headers. This is app security and web dev 101. Instead of taking responsibility for their lack testing and shitty development they pointed the finger at CloudFlare. This would have happened on any CDN. I would like to see real proof of a glitch instead of some empty claims.

Lucy
Guest
Member
Lucy

Emails stored on some third party servers can never be secure. To send secure email, first thing is to avoid getting it stored on external server. User Binfer will send messages directly. Check it out: http://www.binfer.com.

Josh Garza
Guest
Member
Josh Garza

Kassado who idles in #bittrex on irc is payed by bittrex to hack “the competition”

ContractMine Bitcoin Mining
Guest
Member
ContractMine Bitcoin Mining

It’s obvious no compliance standards or penetration testing took place in development of the web application. GAW has always focused too much on marketing and not enough substance. Josh Garza is a little like Harry Gordon Selfridge in the over-hype area of GAW. I’m not surprised to see this on launch day of their exchange. While I’m sure this will be solved and move on, the Mt. Gox like risks are all too familiar here with GAW.

BitterDog
Guest
Member
BitterDog

More security misconfigurations:

http://pastebin.com/qZXrYbFR

sdf
Guest
Member
sdf

Nmap shows them running ubuntu too.

blaster
Guest
Member
blaster

Can’t see any proof of the breach. How can you prove the posts were even there if they were deleted? I had 10 million bucks, but it was stolen and my bank logs were deleted. Yeah right…

a_reader
Guest
Member
a_reader

where’s that Bitcointalk link at?

sources are an important part of “reporting,” you know…

Max
Guest
Member
Max

Where is your source? What exploit did you use? Can we see proof?

If you don’t state these I will disregard this as inspect element.

Tim
Guest
Member
Tim

Brah, this is super real.

https://bitcointalk.org/index.php?topic=857670.msg9991564#msg9991564

I tried the link this morning. It worked. Lots of people saw this.

AH WOU WOU
Guest
Member
AH WOU WOU

owner of this website is so spraying the community with false claims like this.

seriously OP get a freaking life, anyway y u deserve one???

owlcatz
Guest
Member
owlcatz

To all you people looking for sources – I”M ONE, I SAW IT IN MY BROWSER THIS AM – BTW, DID YOU MISS THE SCREENSAVES IN THE ARTICLE ABOVE, OR DO YOU THINK THEY ARE FAKE??!!? unbelievable, you seriously cant’ make this stuff up. BTW, your coin is tanking atm….

blksbth11278
Guest
Member
blksbth11278

You are so full of sh#t its not even funny. Quit spreading your lies to hurt peoples finances. Greedy immature 2 year olds that have been caught organizing dumps.

Dr. Yes
Guest
Member
Dr. Yes

Says the guy trying to pump up a pyramid scheme.

Bryon Jones
Guest
Member
Bryon Jones

Lots of Claims…. no source or evidence. What we have here is somone creating negative publicity to drop the price so they can buy cheap…. NICE TRY!

nikki
Guest
Member
nikki

Jesus christ, you people are seriously insane. Nobody wants to buy these fucking coins, notice how they were supposed to be valued at $20 but aren’t, that’s because no one wants to buy them and everyone wants to sell.

You are delusional.

Badbitcoin.org (@Badbitcoinorg)
Guest
Member
Badbitcoin.org (@Badbitcoinorg)

Evidence please? we already know you have a spat going on with GAW and can’t resist a smear story, but how about a fact or real evidence included in this ‘tittle tattle’ – We believe in the Paycoin project, but do not want to be at risk, so a bit of factual info’ would be really useful. How was the information made available for example.

Thanks.

Volder
Guest
Member
Volder

Shame on you for supporting a SCAM and plastering your site with their ads. You lost a lot of credibility in the community.

Dan
Guest
Member
Dan

Awesome work you guys at Confire are on the ball breaking this wide open. I wonder should we start reporting what we saw to the IRS I’m sure they aren’t :) Nice work Leo!

James
Guest
Member
James

Wow. How sad. I think the CIA and major banks need to be called because their security is also at risk! /s

anonymous
Guest
Member
anonymous

Would tip with actual bitcoins, like with an address.

Bryon Jones
Guest
Member
Bryon Jones

SOURCE?

@ChangeTip
Guest
Member
@ChangeTip

jforsythe just left a Bitcoin tip worth 0.10 USD (316 bits/$0.10).

NemNem
Guest
Member
NemNem
owlcatz
Guest
Member
owlcatz

I saw this as well, someone else’s account, zero balance, but i did get the email address. thought about emailing them but decided to let it go…. Way to go GAW, you can’t do anything properly. You can’t even make this stuff up honestly.

@ChangeTip
Guest
Member
@ChangeTip

danster82 just left a Bitcoin tip worth 1.25 USD (3,944 bits/$1.25).

wpDiscuz