Update on Meltdown and Spectre

Tl;dr: Yesterday a new class of attacks against modern CPU microarchitectures was disclosed to the public at large. Coinbase has taken and will continue to take measures to keep your funds and your data safe. All customer funds remain unaffected. Please make sure you update your operating systems with the latest security patches and follow browser recommendations (chrome, firefox, IE/Edge) to mitigate the impact of these bugs on your systems.

Yesterday a new class of attacks against modern CPU microarchitectures was disclosed. Two specific attacks were released: Meltdown and Spectre. The impact of these vulnerabilities is an attacker who can run code on a computer can potentially gain access to memory space outside the bounds of it’s normal authorization. In the case of Meltdown, this means a piece of malicious software could gain access to kernel or, in the case of some virtualization schemes, host memory. In the case of Spectre, this means untrusted code running in a sandbox (such as JavaScript) could gain access to the memory of its parent process (in the case of JavaScript, that would mean it could read all data in the browser process).

So what is Coinbase doing to protect your funds and personal data and what can you do to protect yourself?

Coinbase maintains an aggressive vulnerability management program. As rumors of this vulnerability emerged several days ago, we began preparing for a few different potential vulnerability types. Coinbase runs in Amazon Web Services (AWS) and our general security posture is one of extreme caution. Sensitive workloads, especially where key handling is involved, run on Dedicated Instances (instead of shared hardware). Where we do run on shared hardware, we make it more difficult to accurately target one of our systems by rapidly cycling through instances in AWS. Once the disclosure embargo lifted and details became available, we evaluated the impact to Coinbase and we worked closely with AWS to ensure that all of the hosts running our workloads were patched and, as we continue to cycle those workloads, we don’t migrate to unpatched hosts. This effectively mitigates the risk of a cross-VM attack on our systems. We are also patching all of our base operating systems to further mitigate the risk of this vulnerability being used to escalate privilege by an attacker who can gain access through other means.

Unfortunately, it is likely that this same class of vulnerability could be exploited by malicious JavaScript running in your browser to steal data from other open or recently open browser tabs. This data might include things like cookie values, credentials, PII or similar. Browser vendors are doing a few things to help mitigate this issue, but not all of those updates are ready yet. Coinbase also follows a number of best practices that limit the potential impact on our users, including the use of HTTPOnly cookies, SameSite cookies and anti-CSRF tokens.

However, there are a few actions you should take right now to limit your exposure:

  • Update your operating systems with the latest patches. OS X 10.13.2 seems to contain a fix (although we don’t have official confirmation from Apple). Windows has released an update. The various linux distributions are working through the update process and have released advisories (https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/ has a good list)
  • Update your browsers. Browsers are continually releasing new features and protections. As a best practice, you should enable automatic updates on your browser. Firefox 57 has mitigations in place. Chrome 64 will have mitigations (release targeted on 23 January), but you can enable Site Isolation (Chrome 63 and later) in the meantime for an effective mitigation. IE/Edge mitigations are available in KB4056890.
  • Use Vaults. Funds to which you do not need immediate access should be placed in a vault. The vault will enforce multi-party approval and a time locked withdrawal process that is resistant to an attacker even if they have full account access.

If at any point you believe your account is at risk you should:

  • Protect yourself by locking your account. Click the account lock link we send at the bottom of every password reset, new device confirmation or transaction confirmation message or call phone support at 1 (888) 908–7930 (M-F, 6AM-6PM Pacific time) and press 1.
  • Let us know by filing a ticket, emailing trust@coinbase.com or calling 1 (888) 908–7930 (M-F, 6AM-6PM Pacific time), option 1