Monday, February 25, 2019

PSA on Moon Browser Extension

Dear members of the crypto community,

TL;DR: Uninstall Moon, Revoke your Coinbase API Keys NOW and PROTECT YOUR BITCOINS

I am the co-founder and CTO at https://paywithmoon.com. Due to the unethical business practices Moon Technologies, Inc. has been engaged in, I have left the company.

As of today, the moon browser extension manipulates the DOM of all our users' browsers to give them an augmented shopping experience, one that allows them to shop online with cryptocurrency. Over the past couple of months, my co-founder, Kenneth Kruger, has ordered the collection of data belonging to our users as a way to improve customer experiences. None of our users have ever been asked explicitly if they would prefer to opt-out of tracking, a feature which I regularly insisted should be added. If you are a user and look under at terms and conditions stated under https://paywithmoon.com/terms-conditions/ (dated 26 Feb 2019), you will find the agreement hidden under one of the terms and conditions.

From the moment you install our browser extension, we know exactly what pages are open on your browser, what the content of those pages are, and what you are doing with them.

The biggest and most alarming issue of all, is the process of collection of how our browser extension works in the backend - Coinbase API keys. From the moment the user initiates the connection between us and Coinbase, we watch for changes in the user's current window, waiting for the user to complete the one-time passcode (OTP) verification process as required by Coinbase. Once that is done, we programatically click the required permissions (scopes) required to create the API key as Moon sees fit.

The API key is then shown only once on the next screen, but the user does not know this (done via CSS manipulation). We extract the API keys into our backend, stored in plain text on our database. This is a definite security antipattern as I'm sure many of you know. This API key is then able to be used indefinitely until manually revoked by the individual user.

When I asked my co-founder why we should not encrypt the keys or create recursively locking IAM policies to prevent anyone in the management team to have personal access to our users' API keys, my co-founder constantly avoided or redirected the discussion and prevented me from building any kind of system that would protect our users.

Only two days ago, I have been locked out of my organization accounts including AWS and can no longer take preventive measures to protect my users.

If you are a user of our browser extension today, ***PLEASE*** you need to uninstall the browser extension viachrome://extensions and go into https://www.coinbase.com/settings/api and revoke ALL your API keys NOW.

If you have not used the Moon browser extension, but know of a friend that might, please inform him or her to do so immediately.

My deteriorating relationship with my co-founder has grown to a point where it simply can no longer be contained. You can read more about my experience in another post here https://np.reddit.com/r/startups/comments/au668p/what_to_do_in_the_event_you_get_zuckerberged_in_a/.

I had created Moon as I was crazy enough to think I was able to change the world with the single vision of bringing mass adoption to cryptocurrency, accelerating the future of the financial system. However, today is truly a sad day for crypto. Until we can find a way to completely decentralize and move away from the corporations, the no-accountability attitude and greed many executives possess, we cannot hope to bring forth the dream of cryptocurrency.

Until we meet on the moon again, please be safe, not sorry,
Alexander Ang


No comments:

Post a Comment