UNINSTALL IT RIGHT NOW AND REVOKE YOUR COINBASE API KEYS.
Dear members of the Ethereum community,
TL;DR: Uninstall Moon, Revoke your Coinbase API Keys NOW and PROTECT YOUR ETHEREUM
I was the co-founder and CTO at
https://paywithmoon.com. Due to my discovery of the unethical business practices Moon Technologies, Inc. has been engaged in, I have left the company.
As of today, the moon browser extension manipulates the DOM of the users' browsers to give them an augmented shopping experience, one that allows them to shop online with cryptocurrency. Over the past couple of months, my co-founder, Kenneth Kruger, has ordered the collection of data belonging to users as a way to improve customer experiences. No users have ever been asked explicitly if they would prefer to opt-out of tracking, a feature which I regularly insisted should be added. If you are a user and look under at terms and conditions stated under
https://paywithmoon.com/terms-conditions/ (dated 26 Feb 2019), you will find the agreement hidden under one of the terms and conditions. This is a huge breach of GDPR and privacy laws that are meant to protect user data.
From the moment a user installs the browser extension, the company will know exactly what pages are open on the user's browser, what the content of those pages are, and what the user is doing with them.
The biggest and most alarming issue of all, is the process of collection of how the browser extension works in the backend - Coinbase API keys. From the moment the user initiates the connection between the company and Coinbase, the company watches for changes in the user's current window, waiting for the user to complete the one-time passcode (OTP) verification process as required by Coinbase. Once that is done, the company programatically clicks the required permissions (scopes) required to create the API key as it sees fit.
The API key is then shown only once on the next screen, but the user does not know this (done via CSS manipulation). The company extracts the API keys into the backend, stored in plain text on the company's database on AWS. This is a definite security antipattern. This API key is then able to be used indefinitely until manually revoked by the individual user.
When I asked Kenneth Kruger why we should not encrypt the keys or create recursively locking IAM policies to prevent anyone in the management team to have personal access to users' API keys, Kenneth Kruger constantly avoided or redirected the discussion and prevented me from building any kind of system that would protect users.
Only two days ago, I have been locked out of my organization accounts including AWS and can no longer take preventive measures to protect users.
If you are a user of our browser extension today, ***PLEASE*** you need to uninstall the browser extension via chrome://extensions and go into
https://www.coinbase.com/settings/api and revoke ALL your API keys NOW.
If you have not used the Moon browser extension, but know of a friend that might, please inform him or her to do so immediately.
You can read more about my experience in another post here
https://np.reddit.com/r/startups/comments/au668p/what_to_do_in_the_event_you_get_zuckerberged_in_a/.
I had created Moon as I was crazy enough to think I was able to change the world with the single vision of bringing mass adoption to cryptocurrency, accelerating the future of the financial system. However, today is truly a sad day for crypto. Until we can find a way to completely decentralize and move away from the corporations, the no-accountability attitude and greed many executives possess, we cannot hope to bring forth the dream of cryptocurrency.
Until we meet on the moon again, please be safe, not sorry,
Alexander Ang
Until this is solved, don’t trust them.