Express Wallet

[Sothh]

Hey guys,

After spending the past day and a half coding, I am ready to post the link to a little project I am working on.

Its basicly like the old InstaWallet, only with more security and (in the future) features.  Source code can be found at https://code.google.com/p/express-wallet/

Features:

Uses a hash of the private key for the ID - No worries about pesky random number generation.

Uses Blockchain.info for address handleing.  I wanted to cut down on overhead of running a full fledged VPN.  This also means a lot less code.

Pays active addresses a portion of ad revenue - the first interest paying wallet I know of.

I have done my best to prevent sql injection and cross site scripting.  If you can find a vulnerability I over-looked, please let me know.

Disclaimer:

This is in early beta, so please don't use it to store your life savings.

I have hand coded everything (even the style sheets and such) from scratch.

Anyway, here is the link: https://www.bitexpress.co.uk (Updated link to my old domain.)

[Sothh]

Update:

I have tested sending and receiving to the generated addresses and can confirm its working correctly.

[Bitalo_Maciej]

I don't mean to be nitpicking, but basically that's a less secure (without using any password protection) version of blockchain.info? What's the advantage then of using your service instead of blockchain.info?

I think that with all the bad guys that are lurking around trying to steal user coins from different online services we have to work hard to provide more secure services, not less. That's of course only my opinion .

[Sothh]

The service may or may not be less secure than using a user name and a password.

The reason for this, is if a service uses a username and password, the username can easily be found/guessed, and user generated passwords and normally much, much weaker than generated ones.  A single generated ID of 24 characters (the new ID length) can be much more secure than a week username and password.

The main reason I don't support usernames and passwords is convenience.  There are several (including blockchain.info) online wallet services.  I am offering a more convenient service.

[Sothh]

Update:

Added a proper SSL cert, so https works correctly now.  Please use https://bitexpress.co.uk for security.

Lengthened keys to 24 characters for more security.

Changed all GET to POST on site for security. (Google indexes GET, secure IDs could be made available in a simple google search.)

[Sothh]

I have made the project open source.  Here is the Google Code URL: https://code.google.com/p/express-wallet/

[Sothh]

Update:

I have added an unobtrusive ad through bitads.net and will give a portion of the revinew back to active wallets each month.  Yay for interest.

[Sothh]

Update:

Visual improvements on the wallet page.

[Sothh]

Update:

Added my scratch card framework on a new page called Scratchers.  A portion of the profits will go to wallet interest.

[Sothh]

https://code.google.com/p/express-wallet/source/browse/trunk/source/index.php#11 How cute, you put your ads on it

https://code.google.com/p/express-wallet/source/browse/trunk/source/index.php#27
So now I have to recode this so it would work on my server

https://code.google.com/p/express-wallet/source/browse/trunk/source/send_funds.php#14
You need to escape this post variable and the one below it, I can easily do an attack.

https://code.google.com/p/express-wallet/source/browse/trunk/source/send_funds.php#27
Are you really storing private keys in non-encrypted mysql? I hope not, that would not be good especially since I seen a bunch of points of mysql attacks that could expose your database.


Conclusion:
Instawallet was a cool project to show off how easy it was to start getting bitcoins and send them in a quick wallet. Today that is not good and can be compromised, honestly all web wallets are dangerous, but people choose easy over security.

Removed the ad from the index, but you can't copy and paste it anyway.

Those two variables are never sent to mysql, they are sent to blockchain.info, and blockchain.info will handle errors.

And yes, for now.  I have been working on encryption, which will be done by the users password and make it impossible for me or anyone else to know their private key.

[Sothh]

Update:

First interest is being paid out today!

All accounts that hold more than 0.01 BTC will receive a portion of the ad revenue that has currently been received, which looks to be about 0.0025BTC per account.

Not very much, but a good start!

[Sothh]

Notice to all users, my hosting company (CINFU) has informed me that they will be closing my hosting account because its against their terms to run "bank" systems on their servers.  As such, I will be shutting the service down.  Please withdraw all balances before the 28th of this month.  If you miss the deadline, send me a PM and I will do my best to get your funds to you.

This was a fun experiment, and I am pleased to report that a single satoshi was not stolen over the life of this project.  The code is still up on Google Code, though I don't maintain it.

[Bitalo_Maciej]

Notice to all users, my hosting company (CINFU) has informed me that they will be closing my hosting account because its against their terms to run "bank" systems on their servers. 

Nice to know which hosting company not to use in future projects.

[Sothh]

Notice to all users, my hosting company (CINFU) has informed me that they will be closing my hosting account because its against their terms to run "bank" systems on their servers. 

Nice to know which hosting company not to use in future projects.

They also terminated a hosting account I had to run my bitcoin scratch card site, which I had prepaid for a year.  I won't be using them again, needless to say.

[maco]

What do you need help with here? I am interested in getting involved with this project in terms of marketing and awareness or maybe some website integrations.