Bitcoin Forum
November 07, 2024, 11:06:11 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Open Letter to Instawallet  (Read 7801 times)
Technomage
Legendary
*
Offline Offline

Activity: 2184
Merit: 1056


Affordable Physical Bitcoins - Denarium.com


View Profile WWW
March 27, 2013, 08:26:16 PM
 #21

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

Denarium closing sale discounts now up to 43%! Check out our products from here!
the founder (OP)
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
March 27, 2013, 08:37:15 PM
 #22

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

There were coins in those wallets.   If someone less than honorable found that they could have easily yesterday cleared off $10,000 worth of bitcoins in a few minutes flat.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
Cryptoman
Hero Member
*****
Offline Offline

Activity: 726
Merit: 500



View Profile
March 27, 2013, 08:56:49 PM
 #23

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

"A small body of determined spirits fired by an unquenchable faith in their mission can alter the course of history." --Gandhi
the founder (OP)
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
March 27, 2013, 08:58:58 PM
 #24

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
matt4054
Legendary
*
Offline Offline

Activity: 1946
Merit: 1035



View Profile
March 27, 2013, 09:19:30 PM
 #25

The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.
WikileaksDude
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500



View Profile
March 27, 2013, 09:57:45 PM
 #26

i knew about this for for ages...

just google:  site:instawallet.org w

And you would get all the public urls...

Most urls were empty anyway.
mccorvic
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
March 27, 2013, 10:07:49 PM
 #27

One time in the early 90s my dad's car phone was stolen and he put up flyers saying "reward". He didn't reward the guy who brought it back.  So, there's that.

Offering Video/Audio Editing Services since 2011 - https://bitcointalk.org/index.php?topic=77932.0
koin
Legendary
*
Offline Offline

Activity: 873
Merit: 1000


View Profile
March 27, 2013, 10:25:04 PM
 #28

I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

if that just happened maybe they were still investigating.   for instance, if a person knows how to get google to explicitly index an url, then maybe that person could make it look like a security vulnerability exists by creating and funding some wallets then asking instawallet for a reward for "discovering" it -- when no legitimate customer funds were at risk.

so you might be jumping to a conclusion.
momagic
Full Member
***
Offline Offline

Activity: 152
Merit: 100


View Profile
March 27, 2013, 10:48:29 PM
 #29

Asking Google not to crawl sensitive pages is a basic foundation of privacy.
gbl08ma
Sr. Member
****
Offline Offline

Activity: 306
Merit: 250


Donations: http://tny.im/nx


View Profile WWW
March 27, 2013, 11:12:26 PM
 #30

When I was halfway through reading your thread about it yesterday, and reading about "100 BTC maximum", Instawallet came to my mind, but the only thing I thought that could be exploitable was something like the form to send Bitcoins out of the wallet, or the API (which is very simple). It never occurred to me that it could be something so simple as Google indexing.
At the same time it makes me wonder; who would post loaded wallet URLs on a place Google could access (because search engines don't guess URLs)? Or should the question be the other way around: is Google getting URLs to scan from places other than web pages (e.g. Google Chat, Chrome...)?
Thanks for discovering googling the issue. It would be great if everyone followed your example.

bg002h
Donator
Legendary
*
Offline Offline

Activity: 1466
Merit: 1048


I outlived my lifetime membership:)


View Profile WWW
March 28, 2013, 01:25:11 AM
 #31

That trick works on easywallet too. Hope you're as rich as I am.

Hardforks aren't that hard. It’s getting others to use them that's hard.
1GCDzqmX2Cf513E8NeThNHxiYEivU1Chhe
Deth
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
March 28, 2013, 02:05:47 AM
 #32

That`s fun Smiley The mistake thing, not the situation it caused...nope, both are fun Smiley
According to what has been said, mistake was stupid, so I guess it was connected with referrer flaw - there was an external resource on page or link to some google service.

mccoyspace
Full Member
***
Offline Offline

Activity: 237
Merit: 101


View Profile WWW
March 28, 2013, 03:06:30 AM
 #33

Wow, over 900 wallets exposed at easywallet using the same trick....!

I haven't used those online wallets before. Are they just supposed to be for quick, in-and-out kinds of transactions?
b¡tco¡n
Member
**
Offline Offline

Activity: 84
Merit: 10

Correct Horse Battery Staple


View Profile
March 28, 2013, 03:50:53 AM
 #34

LOL!  Cheesy

Robots.txt is not for security. It is for obscurity!

This attack will happen sooner or later, google or no google.  Roll Eyes

It is too easy if you just need a URL


1GiB1jQnqjwmNW4U4i8autnnVb1fG8HTYM

This would be my avitar; http://s9.postimg.org/m2pzsiy57/avi.png
dave111223
Legendary
*
Offline Offline

Activity: 1190
Merit: 1001


View Profile WWW
March 28, 2013, 03:57:45 AM
 #35

The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.

I think you hit the nail on the head.  Your browser history/bookmarks are not considered "secret" and plugins may be able to access it.  Once a less than honorable plugin has your history data they can just scan it for "instawallet" and report back all your wallets.

I'm guessing these URLs were gathered from Google chrome data collection.

They really need to stick a password on wallets.
auzaar
Full Member
***
Offline Offline

Activity: 151
Merit: 100



View Profile
March 28, 2013, 05:54:36 AM
 #36

is instawallet really that bad?

here is my wallet Smiley

https://instawallet.org/w/youcanputanyrandomkeyandddosthemcool
auzaar
Full Member
***
Offline Offline

Activity: 151
Merit: 100



View Profile
March 28, 2013, 06:07:55 AM
 #37

they also say they have 3,465,851 wallets, now that is huge
Parazyd
Hero Member
*****
Offline Offline

Activity: 812
Merit: 587


Space Lord


View Profile WWW
March 28, 2013, 06:20:56 AM
 #38

This shit really happened?  Shocked
nyusternie
Full Member
***
Offline Offline

Activity: 211
Merit: 100


"Living the Kewl Life"


View Profile
March 28, 2013, 02:25:21 PM
 #39

My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.


considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.

i'd actually be much more interested in the cause than the fix anyway.

1SDoTrAWQnbJ2ZHvLs3a2XxazqNSishn1
GPG A1638B57 | OTC nyusternie
Parazyd
Hero Member
*****
Offline Offline

Activity: 812
Merit: 587


Space Lord


View Profile WWW
March 28, 2013, 03:06:37 PM
 #40

Users can't protect from that.
Google indexed 3k wallets. You could see them just by typing site:instawallet.org

No, I didn't steal anything and yes, Google removed the links.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!