Open Letter to Instawallet

[Technomage]

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

[1715285397]

1715285397

[1715285397]

1715285397

[1715285397]

1715285397

[1715285397]

1715285397

[the founder]

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

There were coins in those wallets.   If someone less than honorable found that they could have easily yesterday cleared off $10,000 worth of bitcoins in a few minutes flat.

[Cryptoman]

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

[the founder]

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.

[matt4054]

The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.

[WikileaksDude]

i knew about this for for ages...

just google:  site:instawallet.org w

And you would get all the public urls...

Most urls were empty anyway.

[mccorvic]

One time in the early 90s my dad's car phone was stolen and he put up flyers saying "reward". He didn't reward the guy who brought it back.  So, there's that.

[koin]

I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

if that just happened maybe they were still investigating.   for instance, if a person knows how to get google to explicitly index an url, then maybe that person could make it look like a security vulnerability exists by creating and funding some wallets then asking instawallet for a reward for "discovering" it -- when no legitimate customer funds were at risk.

so you might be jumping to a conclusion.

[momagic]

Asking Google not to crawl sensitive pages is a basic foundation of privacy.

[gbl08ma]

When I was halfway through reading your thread about it yesterday, and reading about "100 BTC maximum", Instawallet came to my mind, but the only thing I thought that could be exploitable was something like the form to send Bitcoins out of the wallet, or the API (which is very simple). It never occurred to me that it could be something so simple as Google indexing.
At the same time it makes me wonder; who would post loaded wallet URLs on a place Google could access (because search engines don't guess URLs)? Or should the question be the other way around: is Google getting URLs to scan from places other than web pages (e.g. Google Chat, Chrome...)?
Thanks for discovering googling the issue. It would be great if everyone followed your example.

[bg002h]

That trick works on easywallet too. Hope you're as rich as I am.

[Deth]

That`s fun The mistake thing, not the situation it caused...nope, both are fun
According to what has been said, mistake was stupid, so I guess it was connected with referrer flaw - there was an external resource on page or link to some google service.

[mccoyspace]

Wow, over 900 wallets exposed at easywallet using the same trick....!

I haven't used those online wallets before. Are they just supposed to be for quick, in-and-out kinds of transactions?

[b¡tco¡n]

LOL!  

Robots.txt is not for security. It is for obscurity!

This attack will happen sooner or later, google or no google.  

It is too easy if you just need a URL

[dave111223]

The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.

I think you hit the nail on the head.  Your browser history/bookmarks are not considered "secret" and plugins may be able to access it.  Once a less than honorable plugin has your history data they can just scan it for "instawallet" and report back all your wallets.

I'm guessing these URLs were gathered from Google chrome data collection.

They really need to stick a password on wallets.

[auzaar]

is instawallet really that bad?

here is my wallet

https://instawallet.org/w/youcanputanyrandomkeyandddosthemcool

[auzaar]

they also say they have 3,465,851 wallets, now that is huge

[Parazyd]

This shit really happened? 

[nyusternie]

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.

considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.

i'd actually be much more interested in the cause than the fix anyway.

[Parazyd]

Users can't protect from that.
Google indexed 3k wallets. You could see them just by typing site:instawallet.org

No, I didn't steal anything and yes, Google removed the links.