Instawallet/Bitcoin-Central Security Breach

[Injust]

Message on their site:

Down for Maintenance
We have detected a security breach. Services are temporarily suspended until we have thoroughly investigated the situation. We will resume services as soon as possible.

Please do not send funds to your address for the time being.

Stay tuned for further updates, thank you for your understanding.

What do you think?

[1714325171]

1714325171

[1714325171]

1714325171

[the founder]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

https://bitcointalk.org/index.php?topic=159673.0

However the bug I found only impacted about 3000 of their clients and roughly 100 bitcoins max,  what's showing up on that screen is something bigger (at least big enough to shut down the whole freaking site)  and most likely unrelated,  because mine was just that Google was listing people's wallets....  and they banned it in Google Webmaster tools, so that issue is resolved...   that notice though is all sorts of red flags..

[Injust]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

https://bitcointalk.org/index.php?topic=159673.0

However the bug I found only impacted about 3000 of their clients,  what's showing up on that screen is something bigger and most likely unrelated,  because mine was just that Google was listing people's wallets....  and they banned it in Google Webmaster tools, so that issue is resolved...   that notice though is all sorts of red flags..

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it

[the founder]

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

see under each url there is a "a description not available due to robots.txt"  but they still listed the freaking urls.

[molecular]

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

[Injust]

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

see under each url there is a "a description not available due to robots.txt"  but they still listed the freaking urls.

AFAIK, that's behind the configuration of the robots.txt file. It should be capable of being configured so that the Google bot doesn't even visit the domain

[Injust]

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

The maintenance notice is identical. This suggests the same team is running both.

And yes, it IS the same team.

[moni3z]

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

yep, and instawire.org which disappeared
for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago?

[steelboy]

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

I don't understand any of this robots stuff :/

Basically, was the problem you uncovered something that could see urls then?

I only ever check my instawallet through tor.

I am a little worried at the moment, should I just chill out?

[Injust]

I just hope that Instawallet has a backup of how many Bitcoins belong to how many people and each URL
I have only BTC0.012, but that's a lot to me Considering that I'm a faucet loiterer and penny dust collector

[molecular]

this doesn't sound good at all.

[steelboy]

this doesn't sound good at all.

Literally shitting myself

[mccorvic]

I am a little worried at the moment, should I just chill out?

Too early to tell, but either way the lesson will be "trust no one to hold your coins".

[steelboy]

But there were 3.5million wallets. Is it just limited to 3000?

[Injust]

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

The maintenance notice is identical. This suggests the same team is running both.


Injust, the solution to this problem is not robots.txt. The solution is not using URLs as private keys in the first place.

Well, I guess that Instawallet's way of doing things was for convenience, rather than security.
Not that security isn't important, but still.

[mccorvic]

But there were 3.5million wallets. Is it just limited to 3000?

We don't know if the problem is related to that, or another problem entirely.  We don't know if coins were stolen, lost, looked at, fondled, or licked.  Just have to wait for official statements at this point.

[Injust]

If this is davout's kind of an April Fools' joke, I'm never using Instawallet again.
Promise.

[moni3z]

I don't use instawallet anyways. If you want quick transactions download Electrum client, or just use the regular ol' Bitcoin-qt because we all learned our lesson from mybitcoin right

[dree12]

But there were 3.5million wallets. Is it just limited to 3000?

We don't know if the problem is related to that, or another problem entirely.  We don't know if coins were stolen, lost, looked at, fondled, or licked.  Just have to wait for official statements at this point.

We know that they think that it is ok to have authorization information in clear text in URL to allow access to financial accounts. This tells you all you need to know. Whomever runs it has no clue.

The system would be perfectly secure if not for Google Chrome.

[bitcoinnix]

Literally shitting myself

Literally?