top | item 7504926

(no title)

fatbat | 12 years ago

I am curious why Coinbase is not rate limiting that API call (temp-fix) or addressing this yet (even privately)?

Granted it is not a critical flaw, but is having no limits over time really necessary for Coinbase API users?

discuss

nwh|12 years ago

What do rate limit by? There's billions of IP addresses a spammer could use, captchas can be solved by offshore farms, there's almost nothing to go by.

chandraonline|12 years ago

The call is made on behalf of an user account using an API key. You could rate limit by either one and/or both.

mathrawka|12 years ago

User account.

danielweber|12 years ago

Lots of small businesses are perfectly happy to lock out foreign IP addresses on the slightest breeze, and it's probably a good result because for those businesses 1000 out of 1000 requests from the Eastern Hemisphere are hostile.

barmstrong|12 years ago

You can read some more information on our response here https://hackerone.com/reports/5200

fatbat|12 years ago

Thanks for this! Perhaps an internal flag (to review) can be set when too many bounced emails come from a single api key?