Is Moon Browser Harvesting User Data?

Is Moon Browser Harvesting User Data?


Aside from dApp and smart contract platforms, cryptocurrencies—the superior alternative to susceptible political money—dominates. Some of them include Litecoin, Bitcoin Cash and the grand dad of them all, Bitcoin. As volatile assets whose prices can fluctuate by huge margins as supply—demand factors kick in, it is necessary that there is deep liquidity. Liquidity goes hand in hand with stability and that is exactly why proponents of Bitcoin and similar cryptocurrencies have been drumming for use–spending, and not pure hodling.

Maximalists can hold as long as they want but for Bitcoin to be mainstream, they must spend as it contributes to liquidity and demand fueled by retailers need. There are several gateways that allow merchants and buyers to receive and spend their crypto assets and of the many, Moon, is preferred. The objective of the creators was to create this avenue for coin expenditure that will fast-track crypto adoption.

Why Alexander Ang, the CTO of Moon Stepped Down

Moon is a browser extension and a bridge between crypto held in your CoinBase account and some of the world’s leading online retailers like Amazon, Ali Express and the likes. Once installed, one needs to create an account and link their CoinBase accounts and during checkout, you can pay directly from your preferred CoinBase crypto wallet via Moon.

Read: Ukrainian Tram Displays ‘Surprise’ “Bitcoin to the Moon” Slogan

As convenient as it is, Moon is still in beta and the design demands for a lot telemetry data that it is emerging, were illegally used to track user shopping behavior. It is because of this “unethical business practice” that Alexander Ang, the CTO and co-founder of Moon, left the company in a huff accusing the founder, Kenneth Kruger, of ordering this data collection without inputting a feature that allows users to opt out incase they are not comfortable saying “this is a huge breach of GDPR and privacy laws that are meant to protect user data.”

Security Concerns

Alex is raising alarm, notifying users that once the Moon extension is installed, the app can harvest information of user web behavior as the app can read open pages and their content and what the user is doing with them. But worrying of them all is the ability of Moon to “programmatically clicks the required permissions (scopes) required to create the API key” once the user “completes the one-time passcode (OTP) verification process as required by Coinbase” confirming the connection between Moon and CoinBase.

The problem with this arrangement is that the company extracts this API key in the background and in complete disregard to the user asset security, stores these API Keys in plain text and uploads them to the company’s AWS. Once done, these jewels, the API keys can be used indefinitely by the company until they are manually revoked by the user since operation is done stealthily in the backend, a classic case of CSS manipulation.

Alex raised his concerns on why Moon didn’t encrypt these API keys at AWS to prevent anyone from the company accessing them by “recursively locking IAM policies” and when he tried discussing it with Kenneth, he “constantly avoided or redirected the discussion and prevented (Alex) from building any kind of system that would protect users.”

Also Read: Ethereum Gets A Double Upgrade Really Soon

Since security is paramount, this utter failure of protecting user funds can be damaging for Moon. It could get worse for the start-up and even though their objectives are grand, Alex is urging users to manually revoke their keys. Until measures are put in place—as using a password in a multi-step process including salting for decryption of CoinBase API Keys, Moon will have access to user data via this logic that operates covertly in the backend.

The Counter Argument

But the story is getting interesting and in response to the above allegations, the founder has said the only encrypted data that Moon transmit are for use in MixPanel and Google Analytics. Furthermore, and in Reddit post, he reiterates that the only data broadcasted to their servers are needed for the extension’s functionality and nothing more. These data include:

  • CoinBase API keys and data facilitating purchase and other wallet information for users to check balances and to choose which wallet to make payment from.
  • Crypto—fiat exchange rate data and timestamp
  • Retailer payment data which are extracted from cart value total, the denominated currency and the wallet selected.
  • Email address—needed during sign-up and login and other account authentication data.
  • The timestamp the user completed onboarding
  • All bug reports submitted and new merchant support requests made by the user
  • Chats between support team and the user.

Kenneth goes on assuring users that “Moon does not track the websites you visit, the contents of those websites or your interactions with them unless they are directly related to the functioning of Moon. The only websites Moon interacts with are, and”

All the same, security and transaction in a private environment is what defines crypto. Regardless of the explanations, and if Alex claims are true, then Moon ought to do something and patch things quickly before damage is done.