Open Letter to Instawallet

[the founder]

Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656

[1714129782]

1714129782

[1714129782]

1714129782

[1714129782]

1714129782

[bitstarter]

Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656

Great to hear!

[the founder]

Great to hear!

You should read the whole article... 

After spending 6 hours of my time trying to fix your problem, a problem that I didn’t create, nor really discover. What happened was Google indexed them. I ran a site command working on a clients site and cut and pasted instwallet rather than the clients url by accident, I was then greeted with the bitcoins of 3000 of your users.

I did what any responsible person should do, I contacted you.

At the end of a day’s work helping and SOLVING your security flaw, I stated “you should tip me some bitcoins ”
Of course you disappeared.

Would it really have hurt you to say thanks

[Piper67]

The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  

[the founder]

The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  

You can nominate me here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

Seriously it's wrong what Instawallet did...  I spent a whole day fixing their crap.  they won't even say thanks or give me a Satoshi.

[qxzn]

The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  

Agreed! Hat tip to you, sir.

[mccorvic]

Did you tell them up front that you'd be demanding payment?

[the founder]

The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  

Agreed! Hat tip to you, sir.

LOL hat tip here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

Seriously it would shove a thank you down their throat if people donated realizing I did what instawallet should have.

[the founder]

Did you tell them up front that you'd be demanding payment?

No I didn't care if it was payment or thank you (I would have liked payment more) but I got neither.

[mccorvic]

Did you tell them up front that you'd be demanding payment?

No I didn't care if it was payment or thank you (I would have liked payment more) but I got neither.

Well, maybe you should of told them first.  Would have probably saved you the time of posting this thread if you had.

[cho]

My opinion : you should have tipped him generously while the topic was hot.
Now that it's cold and thefounder needs to publicly complain about your attitude you should thank him and pay him 6 hours of consulting time, that would be fair. Unless thefounder lies or exagerates the issue, which is hard to believe.
Just my opinion.

[justusranvier]

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

[cho]

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

Moreover, that mistake is avoidable with a properly configured robots.txt, it sounds like a very basic mistake to me. That said, it's hard to cover your ass from all the possible mistakes. But that one... Quite a fail.

[Matthew N. Wright]

That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?

[justusranvier]

it sounds like a very basic mistake to me.

We've heard that story many, many times already. "Due to a really basic mistake I accidentally all your bitcoins."

[the founder]

So your extorting them? You want bitcoins cause you did the right thing and not STEAL which is morally wrong. Dude be happy you helped 3,000 people not lose there wealth and stop looking for the coins at the end of the road. I would say good you helped fixed an error, but that you are looking for a hand out kinda leaves a bad taste in my mouth.

I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

That's why I contacted them asap.

[mccorvic]

I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

If that is true (I'm not saying it isn't) I think you diluted your message by including an address in you posts.

[Peter Todd]

That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?

...or they found another issue and are scrambling to fix it. Or they want(ed) to give the OP a significant reward, but need approval from their investors/board/mom/whatever. Or their kid got sick. Who knows?

I'd have given it at least a week or two myself, and kept my mouth shut about the issue, in case there were more holes I didn't find let alone all the other possible reasons it's taken them more than a day to respond. Besides frankly I think a more appropriate thing to do is simply ask (privately) for credit for finding the issue rather than turning it into drama. Money is nice, but a good reputation is worth more in the long run.

Having said that... services should be rewarding people who find serious bugs, simply to encourage ethical reporting rather than exploitation.

[BTC Books]

Well, I've got nothing to do with Instawallet, nor do I use it.

But thank you anyway.

[spunit262]

I want to know how Google found the wallets. Doesn't the fact the Google was even able to find them in the first place imply a deep security problem.
Unless Google found the wallets from data Chrome sent back...