Bitcoin Forum

THEY RESPONDED

I found a security flaw which allowed a thief to steal bitcoins from a company.
I contacted them and they don't reply,  what should I do?
I want to see the security issue resolved,  and the company in question is not responding to me.

The security flaw is so stupid that it most likely got overlooked.

EDIT:  We're talking a minor exploit that at most can yield 100 coins or so.   Not thousand,  not millions,  just 100 or so bitcoins.

It's not going to destabilize bitcoin, or affect prices to any large extent.  It's a single company that has a minor problem that they haven't contacted me back yet.

That's the extent of this flaw.   I asked for advice not because I wanted to freaking start a panic,  it's just how to get a company to respond.

100 BTC at max.... that's it.. nothing more.

Make the flaw public will be the fastest way of been fixed.

Don't steal the coins.  You will be criminally liable for that even if you intend to return them and even if you do return them.  In fact returning them becomes evidence against you.

Just try again.

Well, if you're a customer there you might not want them to be robbed from the outside...?!

You could transfer a nontrivial but also not business threatening amount of BTC to one of your addresses (maybe ennounce that here? On the other hand it might be easy to know which business has this flaw via network analysis) and then immediately send them back - that should hopefully trigger some alerts...

This also invites a lawsuit.

Fuck the law, if you live in another country just grab the damn coins!

Is it the MtGox one where you can put anyone else's public Bitcoin address in the url and automatically get all of their bitcoins?

Please tell me this is a joke.

 :P

Take 100 BTC to prove it. Make it public. Return the coins when you get an apology and a thankyou.



Seriously, if I was in charge of that co. I would be desperate to be the first to know about potential flaws and would offer a sizeable bounty for anybody that pointed them out (with proof).

1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 

just remember this.

NO GOOD DEED GOES UNPUNISHED

watch your back.

Thank you for setting a good example.

whoever just tipped me .035 thank you!

I once worked for a guy who said "Do the right thing" pretty often.
He ended up ripping me off.


The OP is right to be an honest person.
just remember this:
You get what you deserve.

Good for you man! This is what we need, more genuine and honest people like yourself around here.
If you found a flaw in one of my sites I would be sure to buy you a beer or two at the very least!

No Reply to the first or second attempt. 

You are either attention whore trying to cause bubble burst and there is no exploit

or

You are so rich that don't care about money or reward for your unique skills.

I'm guessing option #1, this combine with someone else trying to cause a panic (https://bitcointalk.org/index.php?topic=159053.0) makes more sense than either post does alone.

Send me all their coins?

There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

Wow, you definitely make it on to my "do not trust, ever" list.

I also felt the urge to give that ignore button a go, dispicable.

If the flaw is truly boneheaded, disclosing the name might be risky.

Indeed.


Remember a few years back I called you because your site dropped off the internet and i wanted to see if you were okay?

Well, now I know. You're okay.  8)

If they keep ignoring you there is only one way, give them a ultimatum.

Tell them to fix the problem within a set time frame if they don't respond or fix the problem you will share the info with the public. Put this ultimatum up in a public place, name them and wait for response ...

if they don't fix it or ignore you disclose the info. If they sew you have the right to inform people about possible threads to there well being. (unless you had to break it to there systems to get the info)

speaking from experience it usually doesn't get that far ;)

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

Trust me it's a widely used service,  but the exploit only shows a limited number of coins...  there's an easy fix to this.   

This is not a problem that would destabilize bitcoin... it's the type of flaw that could get media writing though.. which is what I am trying to prevent.

Bitcoin has a 850 million dollar economy,  we're talking about at most a few thousand dollars worth of exploit...  it's something that should be fixed... but it's not something crazy like millions of dollars.



 

One thing is exploiting flaws in computer systems, another thing is exploiting social trust of people. I never exploited trading or other forms of commerce where some degree of trust is essential. In long run it will make some forms of e-trade impossible and will hurt my goals in long term. Contrary exploiting flaws in computer security improves overall security in long term. Without such activities internet would be insecure, censored and boring place. But I used social engineering to get payload into losers computers or phish passwords. But this is more technical than exploiting pure trust. Everyone with slight knowledge will notice wrong URL or different checksums.

I will give OP idea - if trying to crash market, announce here that it is MtGox and post receiving address here and say you will transfer there n amount of coins from MtGox. Then transfer coins from your MtGox account to the address afterwards. No exploit involved but many would believe in that and start sell sell sell

Sounds like it's not a major bitcoin company...

IT'S NOT THAT BIG OF A FLAW TO CRASH ANY MARKET! 

It's a major bitcoin company... but the exploit isn't freaking stealing their whole wallet, just some people that utilize it.

How does a bitcoin business manage to amass hundreds of coins with an obvious flaw in their system? Does not compute!



@the founder disclose the name please, or PM a bitcointalk staff member that can assist you further.

What about taking the coins then sending them to a known address of the company or company's owner. That might work.

I remember one guy who discovered flaw in university system, notified about it the responsible persons and got kicked out afterwards. If he would not be such white knight on donkey and instead anonymously vandalized the database and then leaked it on piratebay, no one would know who did it.

It really was bad idea to contact the owners about exploit.

Seems so...

http://cdn.memegenerator.net/instances/400x/33970959.jpg

Like noticing someone dropped their wallet, picking it up and handing it back to them?

Do not publish the bug. And do not exploit it. Keep trying to reach them. Usually it takes some time for your email to reach the right person within the company. Do not rush and do not take any action to be blamed about in the future.

Lol, so you were trolling.

trolling ? lol

I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with.

Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes.

Text of the response: F**k off! There is no exploit. Thanks for ass king!

ok I gave them exactly how to duplicate the flaw.

I also showed them how to correct it.

After it's been corrected could you explain what the flaw was and who it was with?

I promise you that I will.

When You will be old, sitting alone next to crappy computer, You will remember this possibility of getting 100 coins worth about 8 millions. Life is not fair and never will be, get used to it and act!

I dont think many here understand what I meant.
So he pokes around and finds a bug (felony already).
He discloses info to the web site. (nice guy).
Website fixes bug but the CEO is pissed anyway and files police report (it happens).
Good guy OP gets arrested for trying to do a good deed.

I seriously hope that is not the outcome,  I protected the identity (and will continue until the bug is fixed)  and the poking around was purely an accident... which led me to believe that this was an idiot level mistake.

The owner is on it,  and confirmed the exploit.

100 coin max exploit? It's obvious who the company is then. 

BFL ?

Yep.

Should be fix soon.

Can we say names or...?

blockchain.info

The OP's 8 hour timeline seems to coincide with the announced resolved from said company.

What was the exploit? Bitcoind available for everyone without password?

The duplicity of security standards annoys me. I have no way of knowing if the bank doors are locked at night. Shouldn't I be allowed to check?

If I try and test to see if the bank doors are locked and someone sees me I might get arrested. If no one sees me and I tell the bank, "hey your doors aren't locked!" I will go down hard and there are no repercussions for the bank.

What a strange world we've created...

Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656

Davout... don't you think this guy deserves some BTC for his work?

EDIT:  Also, Google is still spitting out one wallet to me:  https://instawallet.org/r/aHR0cHM6Ly9pbnN0YXdhbGxldC5vcmc=

This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.

Or Instawallet could have included wallet URL's in its sitemap.

I heard that Google sometimes crawls webpages that its users (Chrome) visit?  True/not true?

True. Also some antivirus and firewall companies does this. By now they have at least dozen instawallet urls.

I also found a wallet on google too:

https://instawallet.org/w/iSIzx4rC9ZWh0ygXLfMhh5p12LZUqMarA

Is empty, no surprise.

Lol, this is not a security flaw in instawallet ::)

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

Of course not spending 6 hours telling them how to fix their robots.txt file.  

For some reason everyone keeps saying it was the robots.txt file,  it wasn't.   If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.

Anyway, thanks for this responsible disclosure.

On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g. https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT (https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT)). Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.

But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.

Changing the "site" command to e.g. "allintext" and volá free bitcoins:
https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g
https://i.imgur.com/aDx3rfO.png

But no, I'm not blaming instawallet.

1 -  freaking linking like that to someone's wallet ? seriously?

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten all of us.

Urls showing up in google does not mean that it was instawallet that "leaked" them.
If there was some magical page on instawallet that listed all adresses then this "bug" of yours would not be about ~100BTC, but about much more. Thus, this simply is about google crawling some urls from people's browsers, toolbars, links on other websites, etc. Not a "bug" in instawallet per se, but sure, it's better to robots.txt-disable it anyway.

I'm going to repeat here what I stated in the other thread.


If you saw the screenshots on the article listed on this thread,  you'd see immediately that it was not the robots.txt file.

Someone decided to post it public (not me) and everyone (Google) can access this.
Also it's not even what I usually pay in transaction fee :lol: It's not like someone is going to miss these coins.

Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10 (https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10)
(how do you think google found "your" links vs how google found "my" links?)

omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" ::)

You did the right thing dude, now can we close this thread please?

kthx

yea i'm done with it.