Anyone care to speculate what the flaw in their SMS recovery flow actually was? It's hard for me to think there's even a safe way to implement SMS based account recovery. They would be smarter to just turn it off.
I do not have specific answer for Coinbase. Typically, the flaw would be in modifying one of the form inputs to get the code delivered to a different phone number. That usually works out to either modifying the "destination number" client-side form value, or swapping in an edited/reused session token from a different login session's MFA challenge, to exploit missing ownership checks on the various underlying pkey object IDs.
