Coinbase has taken down a recently flagged “legacy recovery” tool after on-chain investigators warned that it could be used to trick users into giving up their seed phrases.
The episode reignited concerns about how design choices for platforms may clash with longstanding security practices.
Security Concerns Over Coinbase Recovery Page
It all started on March 18, when Cos, founder of SlowMist, a blockchain security firm, asked why a Coinbase-hosted page was asking users to type in their 12-word recovery phrases in plain text. Cos shared screenshots showing a Coinbase Commercial withdrawal interface that required people to paste their mnemonic phrase while also suggesting they get it from Google Drive backups.
Shortly after, well-known on-chain investigator ZachXBT posted that the page could be used by attackers as a social engineering tool, given that it was hosted on an official Coinbase domain.
“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” he asked.
Another member of the SlowMist team, 23pds, pointed out technical flaws on the page, saying that it didn’t have a proper sitemap and could be easily cloned. They added that attackers could copy the interface and use domains that look like it to trick people into giving them sensitive information.
There were also concerns beyond the risk of cloning, with one X user, going by Kieran, arguing that the bigger problem was behavioral. They claimed that the tool went against one of the most widely taught safety rules in crypto, which is to never share or enter a recovery phrase into a website. The existence of such requirements on official pages, according to them, could make phishing attempts more convincing.
Alex, a team member at Coinbase, responded by stating that they had removed the tool and were actively developing a new solution.
“Appreciate you all raising this and holding us to the highest standards,” they added.
At the time of writing, a check on the page showed that it had indeed been taken down, with a simple message informing users that the service was unavailable and that they should try again later.
Social Engineering Risks
The concerns raised by ZachXBT and the SlowMist team aren’t for nothing. Recent data shows that there is a shift in how bad actors are carrying out crypto-related attacks nowadays.
According to on-chain security company Nominis, in February, total losses related to cryptocurrency scams and exploits fell by nearly 87%. But more importantly, Nominis revealed that attackers are now more likely to target users instead of exploiting code.
The firm noted that recent incidents had relied more heavily on phishing and misleading prompts instead of technical vulnerabilities. And with such schemes becoming more common, it’s vital to deny attackers the sort of advantage ZachXBT believes occurrences like the Coinbase recovery tool could have possibly given them.