instawallet has fallen new owner stealing

[yodog]

My 52.39 btc is also 'missing' sent from one instawallet to another address and the coins are not showing up in the block chain, and the new address isn't showing up either cause its never been used.....

and yet on the address where the 52.39 btc were sent from shows unspent coins but they are no longer in the instawallet

http://blockchain.info/unspent?active=17iQhdkNpoxYcNNcXodPjTWUqSuTC8XaF4&format=html   

The coins showed up to the sent wallet, so everything has been resolved. I know for next time to just use a bitcoin mixer and just pay the 1-3% fee...

[Raoul Duke]

My 52.39 btc is also 'missing' sent from one instawallet to another address and the coins are not showing up in the block chain, and the new address isn't showing up either cause its never been used.....

and yet on the address where the 52.39 btc were sent from shows unspent coins but they are no longer in the instawallet

http://blockchain.info/unspent?active=17iQhdkNpoxYcNNcXodPjTWUqSuTC8XaF4&format=html   

The coins showed up to the sent wallet, so everything has been resolved. I know for next time to just use a bitcoin mixer and just pay the 1-3% fee...

You really want to lose your coins, don't you?

[rpietila]

My 52.39 btc is also 'missing' sent from one instawallet to another address and the coins are not showing up in the block chain, and the new address isn't showing up either cause its never been used.....

and yet on the address where the 52.39 btc were sent from shows unspent coins but they are no longer in the instawallet

http://blockchain.info/unspent?active=17iQhdkNpoxYcNNcXodPjTWUqSuTC8XaF4&format=html   

The coins showed up to the sent wallet, so everything has been resolved. I know for next time to just use a bitcoin mixer and just pay the 1-3% fee...

You really want to lose your coins, don't you?

If you definitely want to do that, use the easywallet.org. The only online service that I have been able to keep BTC100 for an extended time without anything happening.

[yodog]

I have filtered 1000$'s of dollars worth of btc thru bitcoinfog, not once has the coins been held up like this on instawallet, or entire wallet disappearing from blockchain.info It had about 3500$ worth of my coins, luckily I had backed up the wallet!!!

[DigitalHermit]

Instawallet has been leaking wallet URLs to Google making them fully indexed/searchable.

Absolutely devastating security hole. I can't see ever trusting them again:

http://www.adaptiveglass.com/?p=656

[SgtSpike]

Instawallet has been leaking wallet URLs to Google making them fully indexed/searchable.

Absolutely devastating security hole. I can't see ever trusting them again:

http://www.adaptiveglass.com/?p=656

I feel like I knew about this a long time ago somehow.  Did this happen before?

[Raoul Duke]

Instawallet has been leaking wallet URLs to Google making them fully indexed/searchable.

Absolutely devastating security hole. I can't see ever trusting them again:

http://www.adaptiveglass.com/?p=656

I feel like I knew about this a long time ago somehow.  Did this happen before?

It did.
They said it was because it created a new wallet when google bot visted them. Very quick to write it off.
I'll try and search the thread later. Great lolz will follow

[SgtSpike]

Instawallet has been leaking wallet URLs to Google making them fully indexed/searchable.

Absolutely devastating security hole. I can't see ever trusting them again:

http://www.adaptiveglass.com/?p=656

I feel like I knew about this a long time ago somehow.  Did this happen before?

It did.
They said it was because it created a new wallet when google bot visted them. Very quick to write it off.
I'll try and search the thread later. Great lolz will follow

Sweet.  My memories are vindicated.

[SgtSpike]

Instawallet has been leaking wallet URLs to Google making them fully indexed/searchable.

Absolutely devastating security hole. I can't see ever trusting them again:

http://www.adaptiveglass.com/?p=656

I feel like I knew about this a long time ago somehow.  Did this happen before?

It did.
They said it was because it created a new wallet when google bot visted them. Very quick to write it off.
I'll try and search the thread later. Great lolz will follow

I found this:  https://bitcointalk.org/index.php?topic=87387.msg982779#msg982779
It might have been TorWallet you were thinking of.

But I did find this:  https://bitcointalk.org/index.php?topic=6785.msg387831#msg387831
Didn't follow the thread much further.  Obviously, Google indexing instawallet pages is a problem that has existed since it started.  It seems like this post wasn't taken seriously at all.

[Phinnaeus Gage]

What if a person sets up an RSS feed from Google, informing him each time the phrase "instawallet.org/w" is indexed? All the person would have to do is check the complete URL to see if it's funded.

I'm sure there are, or will be, people who'll think they're protected, posting the URL to their InstaWallet on some public domain.

[Injust]

Instawallet now has a robots.txt file that blocks Google from indexing all Instawallet URLs with "/w/" in them.

[Phinnaeus Gage]

@davout

I trust your site, but allow me to play Devil's advocate.

Could a scammer do somthing similar to the following?

He meets his mark at Starbucks where one of his comrades has already sat up a URL sniffer. He has the mark whose new to the Bitcoin scene go to instawallet.org. A new wallet it generate. Money and bitcoins change hands.

A wise scammer would wait several days before attempting to steal back the funds with the hope that more would be in it now that the mark feels comfortable using the system, being too lazy to get another IW or exploring another client.

If I lived in Chicago and my name were Rockso, this is what I would attempt.

[dooglus]

SSL encryption, makes it impossible to compromise a wallet by sniffing traffic between the client and the server.

Isn't it true that several certificate authorities have had their signing certificates stolen, meaning that it's possible for attackers to initiate man-in-the-middle attacks on SSL sites without alerting the end user?  I don't know the details, but I'm sure I've read in several places that SSL isn't particularly secure given the number of CAs that most browsers trust by default.

[Phinnaeus Gage]

SSL encryption, makes it impossible to compromise a wallet by sniffing traffic between the client and the server.

Isn't it true that several certificate authorities have had their signing certificates stolen, meaning that it's possible for attackers to initiate man-in-the-middle attacks on SSL sites without alerting the end user?  I don't know the details, but I'm sure I've read in several places that SSL isn't particularly secure given the number of CAs that most browsers trust by default.

http://blog.g0tmi1k.com/2009/07/video-stripping-ssl-sniffing-https.html

[dooglus]

http://blog.g0tmi1k.com/2009/07/video-stripping-ssl-sniffing-https.html

Yes, I've seen that before, and experimented with it, but it's not what I'm thinking of.  That technique tricks the user into making a regular HTTP connection by modifying links.  So if you visit http://yourbank.com/ and it has a link to https://online-banking.yourbank.com/ they effectively just remove the 's' after 'http' so you make a regular unencrypted connection, which they can then sniff.

http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates is more the kind of thing I'm talking about.  I break into a Dutch certificate authority's computers, and generate myself a certificate for instawallet.org.  I then poison your DNS so you come to me instead of directly to instawallet.org, I present you with my ill-gotten certificate, and your browser shows you that you're connected securely and everything's encrypted and fine.  I can choose to pass you on through to the real instawallet.org, or I can just steal your secret URL and present you with a message saying "restarting bitcoind takes all day, sorry" or similar.

[Raoul Duke]

The matter about google indexing instawallet's pages was brought up on Torwallet's thread, yes.
Here is Davout saying it doesn't matter: https://bitcointalk.org/index.php?topic=87387.msg979815#msg979815

As rjk said, if you keep your url safe (not post it anywhere online) google can't find it.

I gave an example. The right person will understand this.

Assertion 1 :
Your search yields approximately 19 URLs.
There are over 250,000 different wallets at Instawallet.

Assertion 2 :
Google does not magically index hidden wallet URLs.

Make your conclusions.

[AndreyE]

3.2 BTC stolen from me, and 3.2 from a friend of mine

[dave111223]

Looks like the whole site is offline now.

[JordanL]

Looks like the whole site is offline now.

We have detected a security breach. Services are temporarily suspended until we have thoroughly investigated the situation. We will resume services as soon as possible.

Please do not send funds to your address for the time being.

Stay tuned for further updates, thank you for your understanding.

Wow, shitty.

[greyhawk]

Aaaaaaaaand it's gone. Forever. This is an ex-change, wait, I mean, this ship has banked, wait, I mean, it's bubble has popped.