Dumb Question : If I found a security flaw with a major bitcoin company ..

[christop]

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.

Or Instawallet could have included wallet URL's in its sitemap.

[SgtSpike]

This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.

I heard that Google sometimes crawls webpages that its users (Chrome) visit?  True/not true?

[MysteryMiner]

This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.

By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.

I heard that Google sometimes crawls webpages that its users (Chrome) visit?  True/not true?

True. Also some antivirus and firewall companies does this. By now they have at least dozen instawallet urls.

[pinger]

I also found a wallet on google too:

https://instawallet.org/w/iSIzx4rC9ZWh0ygXLfMhh5p12LZUqMarA

Is empty, no surprise.

[Nicolai]

Lol, this is not a security flaw in instawallet

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

[the founder]

Lol, this is not a security flaw in instawallet

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

Of course not spending 6 hours telling them how to fix their robots.txt file.  

For some reason everyone keeps saying it was the robots.txt file,  it wasn't.   If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.

[pinger]

Lol, this is not a security flaw in instawallet

If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?

Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.

And I really don't hope you spend 6 hours telling them to add two lines to a txt file?

Of course not spending 6 hours telling them how to fix their robots.txt file.  

For some reason everyone keeps saying it was the robots.txt file,  it wasn't.   If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.

Anyway, thanks for this responsible disclosure.

[Nicolai]

On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g. https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT). Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.

But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.

Changing the "site" command to e.g. "allintext" and volá free bitcoins:
https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g
https://i.imgur.com/aDx3rfO.png

But no, I'm not blaming instawallet.

[the founder]

On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g.

 Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.

But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.

Changing the "site" command to e.g. "allintext" and volá free bitcoins:

But no, I'm not blaming instawallet.

1 -  freaking linking like that to someone's wallet ? seriously?

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten all of us.

[Killdozer]

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten all of us.

Urls showing up in google does not mean that it was instawallet that "leaked" them.
If there was some magical page on instawallet that listed all adresses then this "bug" of yours would not be about ~100BTC, but about much more. Thus, this simply is about google crawling some urls from people's browsers, toolbars, links on other websites, etc. Not a "bug" in instawallet per se, but sure, it's better to robots.txt-disable it anyway.

[the founder]

it's better to robots.txt-disable it anyway.

I'm going to repeat here what I stated in the other thread.

Google's Definition of Robots.Txt file isn't what you guys think it is.

1. You guys all believe it's not a "do not list these directories and pages"  
2. Google's definition is "do not spider these directories and pages"

They are NOT the same definition.  Not even close.

If you saw the screenshots on the article listed on this thread,  you'd see immediately that it was not the robots.txt file.

[Nicolai]

1 -  freaking linking like that to someone's wallet ? seriously?

Someone decided to post it public (not me) and everyone (Google) can access this.
Also it's not even what I usually pay in transaction fee :lol: It's not like someone is going to miss these coins.

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.

Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10
(how do you think google found "your" links vs how google found "my" links?)

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten me.

omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail"

[infested999]

https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10

There is 0.0005496 BTC in that wallet but minimum to take receive it is 0.01 BTC. That means that to get it someone has to transfer 0.0094504 BTC into it and immediatly take everything out. However it's risky because someone else might take out everything while you are depositing.

[the founder]

2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it,  show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.

Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10
(how do you think google found "your" links vs how google found "my" links?)

=== The link in Google that you showed me didn't show any instawallet addresses,  however they did show a bunch of pastebin crap with instawallet URL's in there (including the one you displayed above), it's not the same thing,  not even close.    Those URL's didn't come from Instawallet in Google's index,  they came from pastebin

3 - Someone trusts their bitcoins to instawallet,  and instawallet's structure allows someone to steal those coins,  how is that not a security problem?  Please enlighten me.

omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail"

=== In this case you're saying "I want your username and password"  instead I just want to google your e-mail address and automatically log into your account.  I don't want your username and password,  in your example google has the username and passwords included in the click though url.

[paraipan]

You did the right thing dude, now can we close this thread please?

kthx

[the founder]

You did the right thing dude, now can we close this thread please?

kthx

yea i'm done with it.