Security Alarm Raised Over Coinbase Commerce Portal Requesting User Seed Phrases
Security experts have expressed alarm after discovering a Coinbase Commerce-related subdomain that appeared to request users' seed phrases on a withdrawal interface, triggering warnings from cybersecurity professionals.
Cybersecurity experts have voiced serious apprehensions regarding a page associated with Coinbase Commerce that seemingly requested users to provide their wallet recovery phrases, cautioning that this type of process could make users more susceptible to behaviors typically leveraged in phishing attacks.
The webpage gained significant attention across various social media platforms following its identification by Yu Xian, who goes by the online handle Cos and serves as founder of SlowMist, a blockchain security platform.
"I'm really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery," Yu wrote in an X post on Wednesday, adding: "Such an insecure practice is simply unbelievable."
The cryptocurrency exchange has not yet publicly commented on the matter. When contacted by Cointelegraph, Coinbase stated it was investigating the situation but declined to offer further details. Cointelegraph made attempts to reach Yu Xian for additional commentary, though no response had been received at the time of publication.
Wallet recovery phrases provide complete access to self-custody wallets and must never be disclosed to external parties, support representatives or questionable websites. Under normal circumstances, they should only be utilized within verified wallet recovery or import processes.
Coinbase referred to the subdomain as a commerce "withdrawal tool"
Based on information from blockchain investigator ZachXBT, the webpage under scrutiny was mentioned in a Coinbase Help documentation page associated with the company's Commerce offering.
The help article, which now seems to have been taken down, allegedly described a method for users to retrieve their assets by entering their seed phrase into a compatible cryptocurrency wallet such as Coinbase Wallet or MetaMask. Additionally, it pointed users toward a withdrawal utility hosted on the identical subdomain that has become the subject of examination.
The support documentation further stresses that Commerce wallets operate on a self-custodial basis, which means Coinbase lacks access to customers' seed phrases and is unable to retrieve funds should they be lost.
"So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?" ZachXBT wrote on X.
Coinbase advises against pasting seed phrases into any website
The circumstances surrounding whether the webpage in question stemmed from a technical malfunction or some other problem on Coinbase's end remain uncertain.
In a separate help article, Coinbase explicitly recommends that users should under no circumstances enter seed phrases into any website.
On Tuesday, Coinbase issued an alert warning that fraudsters are impersonating customer support representatives through phone calls or internet communications in efforts to obtain login credentials and verification codes. The exchange emphasized it will never initiate contact in this manner, instructing users to rely only on its verified channels on X and Reddit.