Bad QR Information
  • What is Bad QR?

    Bad QR is the description for bug report #126784 under hackerone for Coinbase.

    It encompases drawing money from Coinbase wallet users under iOS and Android bypassing the confirmation screens.

    Coinbase mobile wallet users should be warned not to scan foreign QR payment codes until the apps are updated.

  • How does it work?

    Any payment code read on the Coinbase wallets below 0.1 BTC is automatically sent with no confirmation.

    The loss of money in this scenario is per user.

    As of right now, this feature is being patched and updates will be provided to both App Stores

  • Can I try it?

    This test bed can generate QR codes that will cause the issue to occur.

    They can also be given a "Social Engineering" spin in order to convince a user to scan it.

    You can try this, but for the love of god, don't scan QR codes outside this page unless it's a trusted QR code.

    QR Codes are generated by Google Chart API through Javascript, so don't scan them if you don't trust them either.

  • Why disclose this as a bug?

    A bad actor can use this to draw unsuspecting users into making transactions out of Coinbase.

    For the amount of money that it will cost a single user to read a QR code, you could blanket thousands in social media through Facebook, Twitter and Reddit.

    By definition, bitcoin transactions are non-refundable and this feature can cost you a bit.


Bad QR Test Bed