christop
Member
Offline
Activity: 84
Merit: 10
|
|
March 28, 2013, 03:14:28 PM |
|
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
Or Instawallet could have included wallet URL's in its sitemap.
|
Tips are always welcome: 17Z63hLi2ox4fCMhDqVJrLTJiXVcBMJpMo Alpaca socks donations: 1sockzDWcF8mrC59CgiN7HAJm6xL7TiRW
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
March 28, 2013, 03:21:54 PM |
|
This problem was discussed several times before, including on my chat. I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit? True/not true?
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
March 28, 2013, 03:24:06 PM |
|
This problem was discussed several times before, including on my chat. I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit? True/not true? True. Also some antivirus and firewall companies does this. By now they have at least dozen instawallet urls.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
pinger
Legendary
Offline
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
|
|
March 28, 2013, 03:35:35 PM |
|
|
For rent
|
|
|
Nicolai
Newbie
Offline
Activity: 39
Merit: 0
|
|
March 28, 2013, 03:40:27 PM |
|
Lol, this is not a security flaw in instawallet If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook? Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc. And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
|
|
|
|
the founder (OP)
|
|
March 28, 2013, 06:27:00 PM |
|
Lol, this is not a security flaw in instawallet If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook? Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc. And I really don't hope you spend 6 hours telling them to add two lines to a txt file? Of course not spending 6 hours telling them how to fix their robots.txt file. For some reason everyone keeps saying it was the robots.txt file, it wasn't. If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
pinger
Legendary
Offline
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
|
|
March 28, 2013, 07:16:59 PM |
|
Lol, this is not a security flaw in instawallet If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook? Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc. And I really don't hope you spend 6 hours telling them to add two lines to a txt file? Of course not spending 6 hours telling them how to fix their robots.txt file. For some reason everyone keeps saying it was the robots.txt file, it wasn't. If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file. Anyway, thanks for this responsible disclosure.
|
For rent
|
|
|
Nicolai
Newbie
Offline
Activity: 39
Merit: 0
|
|
March 28, 2013, 09:21:53 PM |
|
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g. https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT). Aka "Google hacking", "google dork", whatever it has nothing to do with hacking. But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem. Changing the "site" command to e.g. "allintext" and volá free bitcoins: https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0ghttps://i.imgur.com/aDx3rfO.pngBut no, I'm not blaming instawallet.
|
|
|
|
the founder (OP)
|
|
March 29, 2013, 12:01:11 AM |
|
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g.
Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.
But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.
Changing the "site" command to e.g. "allintext" and volá free bitcoins:
But no, I'm not blaming instawallet.
1 - freaking linking like that to someone's wallet ? seriously? 2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator. 3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten all of us.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
Killdozer
|
|
March 29, 2013, 12:21:26 AM |
|
3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten all of us. Urls showing up in google does not mean that it was instawallet that "leaked" them. If there was some magical page on instawallet that listed all adresses then this "bug" of yours would not be about ~100BTC, but about much more. Thus, this simply is about google crawling some urls from people's browsers, toolbars, links on other websites, etc. Not a "bug" in instawallet per se, but sure, it's better to robots.txt-disable it anyway.
|
|
|
|
the founder (OP)
|
|
March 29, 2013, 12:47:31 AM |
|
it's better to robots.txt-disable it anyway. I'm going to repeat here what I stated in the other thread. Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages" 2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close. If you saw the screenshots on the article listed on this thread, you'd see immediately that it was not the robots.txt file.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
Nicolai
Newbie
Offline
Activity: 39
Merit: 0
|
|
March 29, 2013, 02:06:50 AM |
|
1 - freaking linking like that to someone's wallet ? seriously? Someone decided to post it public (not me) and everyone (Google) can access this. Also it's not even what I usually pay in transaction fee :lol: It's not like someone is going to miss these coins. 2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator. Just go to page 2 of google and search for " https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10(how do you think google found "your" links vs how google found "my" links?) 3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten me. omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail"
|
|
|
|
infested999
|
|
March 29, 2013, 02:23:41 AM |
|
There is 0.0005496 BTC in that wallet but minimum to take receive it is 0.01 BTC. That means that to get it someone has to transfer 0.0094504 BTC into it and immediatly take everything out. However it's risky because someone else might take out everything while you are depositing.
|
|
|
|
the founder (OP)
|
|
March 29, 2013, 02:36:45 AM |
|
2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator. Just go to page 2 of google and search for " https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10(how do you think google found "your" links vs how google found "my" links?) === The link in Google that you showed me didn't show any instawallet addresses, however they did show a bunch of pastebin crap with instawallet URL's in there (including the one you displayed above), it's not the same thing, not even close. Those URL's didn't come from Instawallet in Google's index, they came from pastebin3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten me. omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" === In this case you're saying "I want your username and password" instead I just want to google your e-mail address and automatically log into your account. I don't want your username and password, in your example google has the username and passwords included in the click though url.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
paraipan
In memoriam
Legendary
Offline
Activity: 924
Merit: 1004
Firstbits: 1pirata
|
|
March 29, 2013, 02:39:19 AM |
|
You did the right thing dude, now can we close this thread please?
kthx
|
BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
|
|
|
the founder (OP)
|
|
March 29, 2013, 02:39:43 AM |
|
You did the right thing dude, now can we close this thread please?
kthx
yea i'm done with it.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
|