Bitcoin Forum
April 19, 2014, 04:20:54 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 40026 times)
Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 06:49:55 PM
 #1

Message on their site:

Quote
Down for Maintenance
We have detected a security breach. Services are temporarily suspended until we have thoroughly investigated the situation. We will resume services as soon as possible.

Please do not send funds to your address for the time being.

Stay tuned for further updates, thank you for your understanding.

What do you think?

    mBitCASINOWIN BITCOINS IN OUR
24/7 LIVE DEALER CASINO

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397881254
Hero Member
*
Offline Offline

Posts: 1397881254

View Profile Personal Message (Offline)

Ignore
1397881254
Reply with quote  #2

1397881254
Report to moderator
1397881254
Hero Member
*
Offline Offline

Posts: 1397881254

View Profile Personal Message (Offline)

Ignore
1397881254
Reply with quote  #2

1397881254
Report to moderator
1397881254
Hero Member
*
Offline Offline

Posts: 1397881254

View Profile Personal Message (Offline)

Ignore
1397881254
Reply with quote  #2

1397881254
Report to moderator
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW

Ignore
April 01, 2013, 07:04:21 PM
 #2

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

https://bitcointalk.org/index.php?topic=159673.0

However the bug I found only impacted about 3000 of their clients and roughly 100 bitcoins max,  what's showing up on that screen is something bigger (at least big enough to shut down the whole freaking site)  and most likely unrelated,  because mine was just that Google was listing people's wallets....  and they banned it in Google Webmaster tools, so that issue is resolved...   that notice though is all sorts of red flags..








Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:08:19 PM
 #3

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

https://bitcointalk.org/index.php?topic=159673.0

However the bug I found only impacted about 3000 of their clients,  what's showing up on that screen is something bigger and most likely unrelated,  because mine was just that Google was listing people's wallets....  and they banned it in Google Webmaster tools, so that issue is resolved...   that notice though is all sorts of red flags..

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it Smiley

the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW

Ignore
April 01, 2013, 07:09:19 PM
 #4


Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it Smiley

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

see under each url there is a "a description not available due to robots.txt"  but they still listed the freaking urls.






Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
April 01, 2013, 07:12:44 PM
 #5

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:14:11 PM
 #6


Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it Smiley

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

see under each url there is a "a description not available due to robots.txt"  but they still listed the freaking urls.







AFAIK, that's behind the configuration of the robots.txt file. It should be capable of being configured so that the Google bot doesn't even visit the domain Tongue

Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:14:43 PM
 #7

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0


The maintenance notice is identical. This suggests the same team is running both.

And yes, it IS the same team.

moni3z
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:15:03 PM
 #8

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0


yep, and instawire.org which disappeared
for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago?
steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 01, 2013, 07:16:54 PM
 #9


Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it Smiley

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.





I don't understand any of this robots stuff :/

Basically, was the problem you uncovered something that could see urls then?

I only ever check my instawallet through tor.

I am a little worried at the moment, should I just chill out?
Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:17:43 PM
 #10

I just hope that Instawallet has a backup of how many Bitcoins belong to how many people and each URL Tongue
I have only BTC0.012, but that's a lot to me Tongue Considering that I'm a faucet loiterer and penny dust collector Cheesy

molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
April 01, 2013, 07:18:20 PM
 #11

this doesn't sound good at all.

steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 01, 2013, 07:19:32 PM
 #12

this doesn't sound good at all.


Literally shitting myself
mccorvic
Hero Member
*****
Offline Offline

Activity: 504



View Profile

Ignore
April 01, 2013, 07:19:51 PM
 #13

I am a little worried at the moment, should I just chill out?

Too early to tell, but either way the lesson will be "trust no one to hold your coins".

Offering Video/Audio Editing Services since 2011 - https://bitcointalk.org/index.php?topic=77932.0
steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 01, 2013, 07:21:37 PM
 #14

But there were 3.5million wallets. Is it just limited to 3000?
Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:21:40 PM
 #15

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0


The maintenance notice is identical. This suggests the same team is running both.


Injust, the solution to this problem is not robots.txt. The solution is not using URLs as private keys in the first place.



Well, I guess that Instawallet's way of doing things was for convenience, rather than security.
Not that security isn't important, but still.

mccorvic
Hero Member
*****
Offline Offline

Activity: 504



View Profile

Ignore
April 01, 2013, 07:22:47 PM
 #16

But there were 3.5million wallets. Is it just limited to 3000?

We don't know if the problem is related to that, or another problem entirely.  We don't know if coins were stolen, lost, looked at, fondled, or licked.  Just have to wait for official statements at this point.

Offering Video/Audio Editing Services since 2011 - https://bitcointalk.org/index.php?topic=77932.0
Injust
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:24:49 PM
 #17

If this is davout's kind of an April Fools' joke, I'm never using Instawallet again.
Promise.

moni3z
Sr. Member
****
Offline Offline

Activity: 448



View Profile

Ignore
April 01, 2013, 07:27:08 PM
 #18

I don't use instawallet anyways. If you want quick transactions download Electrum client, or just use the regular ol' Bitcoin-qt because we all learned our lesson from mybitcoin right
dree12
Hero Member
*****
Offline Offline

Activity: 994


Du bist ein kartoffelsalat.


View Profile

Ignore
April 01, 2013, 07:27:15 PM
 #19

But there were 3.5million wallets. Is it just limited to 3000?

We don't know if the problem is related to that, or another problem entirely.  We don't know if coins were stolen, lost, looked at, fondled, or licked.  Just have to wait for official statements at this point.

We know that they think that it is ok to have authorization information in clear text in URL to allow access to financial accounts. This tells you all you need to know. Whomever runs it has no clue.


The system would be perfectly secure if not for Google Chrome.

bitcoinnix
Jr. Member
*
Offline Offline

Activity: 56


View Profile

Ignore
April 01, 2013, 07:28:42 PM
 #20

Literally shitting myself
Literally?

BEWARE:  NOTROLL.IN POOL MAY STEAL YOUR GENERATED LTC
Original thread starts here:  https://bitcointalk.org/index.php?topic=92716.msg1782471#msg1782471
Theft discussion thread is here:  https://bitcointalk.org/index.php?topic=172667.0
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!