Security researchers are raising alarms over a Coinbase Commerce page that appears to request users’ wallet recovery phrases, a practice that could normalize dangerous behavior often exploited by phishing scams. The page, highlighted by blockchain security expert Yu Xian, has sparked significant concern within the crypto community, prompting questions about Coinbase’s commitment to user safety.
The Concern
Yu Xian, founder of the blockchain security platform SlowMist, flagged the issue on social media, expressing bewilderment at why Coinbase would have such a page. “Such an insecure practice is simply unbelievable,” he wrote, emphasizing the potential risks of normalizing the sharing of seed phrases. Recovery phrases are the key to accessing self-custody wallets and should never be shared with third parties, customer support agents, or untrusted websites.
Coinbase’s Response
Coinbase has yet to address the issue publicly. When contacted by Cointelegraph, the company stated it was investigating the matter but provided no further details. This lack of transparency has only added to the community’s concerns. ZachXBT, a blockchain sleuth, pointed out that the page in question was referenced in a Coinbase Help guide related to its Commerce product, which has since been removed.
Security Best Practices
The help documentation, now apparently removed, outlined an option for users to recover funds by importing their seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask. It also directed users to a withdrawal tool hosted at the same subdomain that has drawn scrutiny. The guide emphasized that Commerce wallets are self-custodial, meaning Coinbase does not have access to users’ seed phrases and cannot recover funds if they are lost.
Broader Implications
The incident raises broader questions about the security practices of major crypto platforms. While Coinbase is generally considered a reputable player in the industry, this issue highlights the need for continuous vigilance and clear communication with users. Coinbase advises against pasting seed phrases into any website, a recommendation that should be strictly followed to avoid falling victim to phishing scams.
Conclusion
As the crypto industry continues to mature, the importance of robust security measures cannot be overstated. Coinbase’s handling of this issue will be closely watched by both users and regulators. The company must take immediate and transparent steps to address the concerns raised and ensure that such practices are not repeated. In the meantime, users are advised to remain vigilant and protect their seed phrases with the utmost care.
About the Author
