Tl;dr: Yesterday a new class of attacks against modern CPU microarchitectures was disclosed to the public at large. Coinbase has taken and will continue to take measures to keep your funds and your data safe. All customer funds remain unaffected. Please make sure you update your operating systems with the latest security patches and follow browser recommendations (chrome, firefox, IE/Edge) to mitigate the impact of these bugs on your systems.

Yesterday a new class of attacks against modern CPU microarchitectures was disclosed. Two specific attacks were released: Meltdown and Spectre. The impact of these vulnerabilities is an attacker who can run code on a computer can potentially gain access to memory space outside the bounds of it’s normal authorization. In the case of Meltdown, this means a piece of malicious software could gain access to kernel or, in the case of some virtualization schemes, host memory. In the case of Spectre, this means untrusted code running in a sandbox (such as JavaScript) could gain access to the memory of its parent process (in the case of JavaScript, that would mean it could read all data in the browser process).

So what is Coinbase doing to protect your funds and personal data and what can you do to protect yourself?

Coinbase maintains an aggressive vulnerability management program. As rumors of this vulnerability emerged several days ago, we began preparing for a few different potential vulnerability types. Coinbase runs in Amazon Web Services (AWS) and our general security posture is one of extreme caution. Sensitive workloads, especially where key handling is involved, run on Dedicated Instances (instead of shared hardware). Where we do run on shared hardware, we make it more difficult to accurately target one of our systems by rapidly cycling through instances in AWS. Once the disclosure embargo lifted and details became available, we evaluated the impact to Coinbase and we worked closely with AWS to ensure that all of the hosts running our workloads were patched and, as we continue to cycle those workloads, we don’t migrate to unpatched hosts. This effectively mitigates the risk of a cross-VM attack on our systems. We are also patching all of our base operating systems to further mitigate the risk of this vulnerability being used to escalate privilege by an attacker who can gain access through other means.

Unfortunately, it is likely that this same class of vulnerability could be exploited by malicious JavaScript running in your browser to steal data from other open or recently open browser tabs. This data might include things like cookie values, credentials, PII or similar. Browser vendors are doing a few things to help mitigate this issue, but not all of those updates are ready yet. Coinbase also follows a number of best practices that limit the potential impact on our users, including the use of HTTPOnly cookies, SameSite cookies and anti-CSRF tokens.

However, there are a few actions you should take right now to limit your exposure:

If at any point you believe your account is at risk you should:

Update on Meltdown and Spectre was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Similar to Notcoin - TapSwap on Solana Airdrops In 2024

origin »

105 +