Frictionless Transferring of Wallet Ownership

In the Robocoin application, users can create their own personal or operator wallets and then share it with other Robocoin users. It was observed that this sharing of wallets with other users is frictionless. In other words, the users with whom the wallet is shared with (Let's say B and C) are not asked to confirm this transfer or ownership at all. They are not notified either. What this means is that a malicious Robocoin user (Let's say A) would create a wallet and then share it with both B and C (assuming A was able to find some random phone numbers associated with some Robocoin users - this is possible since there was no rate limiting observed for this feature. See attached screenshots where 14 invalid requests were sent with an invalid phone number and the 15th request was a valid number. Notice the difference in the response) as Signers. A then goes ahead and makes B the wallet owner. Since B is the wallet owner now, this changes A's permissions and now A becomes a Signer along with the other signer C (who A assigned as a Signer originally). There are no email notifications sent to notify B and C who shared the wallet with them, who transferred ownership from A to B. No notifications of any kinds. C then logs on and notices that a new wallet is being shared with him. C looks at the user summary of the wallet and notices that B is the owner and both A and C are signers. C becomes suspicious that B is the malicious user and has shared the wallet with both A and C. In a nutshell, A spoofed B as the wallet owner. The fact that there are no notifications being sent of any kind and that there is no rate limiting observed for the sharing feature only makes this issue more feasible and prone to an attack. There are some other ramifications as well due to this behavior such as: A can share this wallet with any number of Robocoin users. This would allow different Robocoin users to view each other's phone numbers. In a way, this is basically revealing phone numbers of various Robocoin users to each other which is totally unnecessary. Revealing a phone number is worse than revealing a name IMHO. This would also allow a large number of wallets being shown in Robocoin user dashboards to which they have no connection whatsoever. Cheers! /ab