bbit
Legendary
 Offline
Activity: 1330
Merit: 1000
Bitcoin
|
 |
March 26, 2013, 06:47:17 PM |
|
THEY RESPONDED
trolling ? lol |
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
March 26, 2013, 06:47:32 PM |
|
The flaw is idiot level. It's something that I assume was explored, methods against it were conceived and mostly implemented and someone forgot to upload it.
It had to have been something like that.
Good news though we're talking about at most a hundred coins.. Not thousands
Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them) Grab the coins and email them and telling them you did it to prevent a not so honest person do the same.. I'm sure when they see the issue, they'll understand. What about taking the coins then sending them to a known address of the company or company's owner. That might work. Sure, whatever, but if the coins are left there in the open, someone else might find that flaw and actually steal the coins. I'd grab them and send them to an address and then simply give them the private key once they acknowledge how stupid they are. They better reward you or at least offer you a reward even if you choose not to accept it! I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with. Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes. |
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1498
Merit: 1042
Death to enemies!
|
|
March 26, 2013, 06:49:30 PM |
|
THEY RESPONDED
Text of the response: F**k off! There is no exploit. Thanks for ass king! |
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
|
the founder (OP)
|
|
March 26, 2013, 06:56:50 PM |
|
ok I gave them exactly how to duplicate the flaw.
I also showed them how to correct it.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
March 26, 2013, 06:59:23 PM |
|
ok I gave them exactly how to duplicate the flaw.
I also showed them how to correct it.
After it's been corrected could you explain what the flaw was and who it was with? |
|
|
|
|
|
the founder (OP)
|
|
March 26, 2013, 07:02:27 PM |
|
I promise you that I will.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
MysteryMiner
Legendary
Offline
Activity: 1498
Merit: 1042
Death to enemies!
|
|
March 26, 2013, 07:06:53 PM |
|
When You will be old, sitting alone next to crappy computer, You will remember this possibility of getting 100 coins worth about 8 millions. Life is not fair and never will be, get used to it and act!
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
fcmatt
Legendary
Offline
Activity: 2072
Merit: 1001
|
|
March 26, 2013, 07:24:32 PM |
|
I once worked for a guy who said "Do the right thing" pretty often. He ended up ripping me off.
just remember this.
NO GOOD DEED GOES UNPUNISHED
watch your back.
The OP is right to be an honest person. just remember this:You get what you deserve. I dont think many here understand what I meant. So he pokes around and finds a bug (felony already). He discloses info to the web site. (nice guy). Website fixes bug but the CEO is pissed anyway and files police report (it happens). Good guy OP gets arrested for trying to do a good deed. |
|
|
|
|
|
the founder (OP)
|
|
March 26, 2013, 07:33:06 PM |
|
I once worked for a guy who said "Do the right thing" pretty often. He ended up ripping me off.
just remember this.
NO GOOD DEED GOES UNPUNISHED
watch your back.
The OP is right to be an honest person. just remember this:You get what you deserve. I dont think many here understand what I meant. So he pokes around and finds a bug (felony already). He discloses info to the web site. (nice guy). Website fixes bug but the CEO is pissed anyway and files police report (it happens). Good guy OP gets arrested for trying to do a good deed. I seriously hope that is not the outcome, I protected the identity (and will continue until the bug is fixed) and the poking around was purely an accident... which led me to believe that this was an idiot level mistake. The owner is on it, and confirmed the exploit. |
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
|
annette786
|
|
March 26, 2013, 10:08:21 PM |
|
100 coin max exploit? It's obvious who the company is then.
|
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1498
Merit: 1042
Death to enemies!
|
|
March 27, 2013, 12:30:59 AM |
|
100 coin max exploit? It's obvious who the company is then.
BFL ? |
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
Jaw3bmasters
Full Member
Offline
Activity: 196
Merit: 100
Another block in the wall
|
|
March 27, 2013, 12:36:32 AM |
|
100 coin max exploit? It's obvious who the company is then.
Yep. Should be fix soon. |
In Cryptography we trust.
|
|
|
|
Franktank
|
|
March 27, 2013, 12:58:27 AM |
|
Can we say names or...?
|
|
|
|
|
|
uk1
|
|
March 27, 2013, 01:06:15 AM |
|
blockchain.info
|
|
|
|
Jaw3bmasters
Full Member
Offline
Activity: 196
Merit: 100
Another block in the wall
|
|
March 27, 2013, 01:10:58 AM |
|
Can we say names or...?
The OP's 8 hour timeline seems to coincide with the announced resolved from said company. |
In Cryptography we trust.
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1498
Merit: 1042
Death to enemies!
|
|
March 27, 2013, 01:01:14 PM |
|
What was the exploit? Bitcoind available for everyone without password?
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
|
optimator
|
|
March 27, 2013, 01:16:54 PM
Last edit: March 28, 2013, 11:17:30 PM by optimator |
|
I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with.
Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes.
The duplicity of security standards annoys me. I have no way of knowing if the bank doors are locked at night. Shouldn't I be allowed to check? If I try and test to see if the bank doors are locked and someone sees me I might get arrested. If no one sees me and I tell the bank, "hey your doors aren't locked!" I will go down hard and there are no repercussions for the bank. What a strange world we've created... |
|
|
|
|
the founder (OP)
|
|
March 27, 2013, 07:08:23 PM |
|
Dear Instawallet, Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours. After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed. http://www.adaptiveglass.com/?p=656 |
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
March 27, 2013, 07:13:56 PM |
|
Dear Instawallet, Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours. After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed. http://www.adaptiveglass.com/?p=656Davout... don't you think this guy deserves some BTC for his work? EDIT: Also, Google is still spitting out one wallet to me: https://instawallet.org/r/aHR0cHM6Ly9pbnN0YXdhbGxldC5vcmc= |
|
|
|
|
ingrownpocket
Legendary
Offline
Activity: 952
Merit: 1000
|
|
March 28, 2013, 01:43:58 PM |
|
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
|
|
|
|
|
|
