Bitcoin Forum
April 18, 2014, 09:06:05 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 39959 times)
iCEBREAKER
Hero Member
*****
Offline Offline

Activity: 630


Bitcoin is the separation of Money and State.


View Profile

Ignore
April 02, 2013, 03:53:44 AM
 #121

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...

"Current payment systems simply can’t compete with bitcoin’s fees, security and convenience.  Why spend hundreds of thousands of dollars on bank fees per year and lose hair as money transfers bounce from bank to bank during a wire transfer sometimes taking days to reach its destination, when it can clear within minutes and for mere pennies?  As a currency, no sovereign can match it.  As a payment system, no financial institution can compete with it.  As a distributed network, no government can stop it."     -Chris Horlacher
1397811965
Hero Member
*
Offline Offline

Posts: 1397811965

View Profile Personal Message (Offline)

Ignore
1397811965
Reply with quote  #2

1397811965
Report to moderator
1397811965
Hero Member
*
Offline Offline

Posts: 1397811965

View Profile Personal Message (Offline)

Ignore
1397811965
Reply with quote  #2

1397811965
Report to moderator
1397811965
Hero Member
*
Offline Offline

Posts: 1397811965

View Profile Personal Message (Offline)

Ignore
1397811965
Reply with quote  #2

1397811965
Report to moderator
    mBitCASINOWIN BITCOINS IN OUR
24/7 LIVE DEALER CASINO

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397811965
Hero Member
*
Offline Offline

Posts: 1397811965

View Profile Personal Message (Offline)

Ignore
1397811965
Reply with quote  #2

1397811965
Report to moderator
Severian
Sr. Member
****
Offline Offline

Activity: 336


anarchistic marketist


View Profile WWW

Ignore
April 02, 2013, 04:54:11 AM
 #122

Google: Your business is our business.

"The synonym of usury is ruin." -Samuel Johnson
The-Real-Link
Hero Member
*****
Offline Offline

Activity: 527



View Profile

Ignore
April 02, 2013, 05:24:08 AM
 #123

I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.

Oh Loaded, who art up in Mt. Gox, hallowed be thy name!  Thy dollars rain, thy will be done, on BTCUSD.  Give us this day our daily 10% 30%, and forgive the bears, as we have bought their bitcoins.  And lead us into quadruple digits
caveden
Hero Member
*****
Offline Offline

Activity: 1092



View Profile

Ignore
April 02, 2013, 06:23:00 AM
 #124

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Does the same apply to Chromium?

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
dooglus
Hero Member
*****
Offline Offline

Activity: 1036


firstbits: 1doog7


View Profile WWW

Ignore
April 02, 2013, 06:31:31 AM
 #125

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:


jcdf
Newbie
*
Offline Offline

Activity: 14


View Profile

Ignore
April 02, 2013, 06:40:07 AM
 #126

I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.
caveden
Hero Member
*****
Offline Offline

Activity: 1092



View Profile

Ignore
April 02, 2013, 08:07:43 AM
 #127

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

Thanks dooglus. Mine was off.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 02, 2013, 09:08:44 AM
 #128

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?
DublinBrian
Full Member
***
Offline Offline

Activity: 197


View Profile

Ignore
April 02, 2013, 10:24:12 AM
 #129

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.
Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.


MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
April 02, 2013, 10:52:47 AM
 #130

he can include them in the same block

Ah right you are, it didn't occur to me.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Atruk
Hero Member
*****
Offline Offline

Activity: 504



View Profile

Ignore
April 02, 2013, 11:35:02 AM
 #131

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Speculation, but justified.

Chrome is the ultimate spyware

greyhawk
Hero Member
*****
Offline Offline

Activity: 728


View Profile

Ignore
April 02, 2013, 11:48:49 AM
 #132


Chrome is the ultimate spyware

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.

Stop sending me Bitcoins! 1HNLqLrPEwMk8woA91qwX9sRkatRfQik2T
Click here to get hacked
Rampion
Sr. Member
****
Offline Offline

Activity: 462


View Profile

Ignore
April 02, 2013, 01:34:43 PM
 #133

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

PGP KEY - The block size is an intentionally limited economic resource, just like the 21,000,000-bitcoin limit. Changing that vastly degrades the economics surrounding bitcoin, creating many negative incentives. Jeff Garzik.
d5000
Sr. Member
****
Offline Offline

Activity: 420



View Profile

Ignore
April 02, 2013, 01:56:23 PM
 #134

Bitcoin-Central about a minute ago again showed me the normal light-blue design, but with an "Internal Server Error". Now they have restored the "Maintainance" message.

Seems they will be up again soon.

Altcoin con precio fijo - Ist eine stabile Kryptowährung möglich? - Price stability with "locked" coins?
BTC: 1CJpRm9GWmCbtFkLTcuqioCh1vmVsozGPs | PPC: PSiLBTVf3Hii3ZwW6wL99Cni3167pQdL1S
COMM bounty address: Cakg8N5rijegaK3NzXF5Fc84mqdfmFX13J
COMM receiving address: CbipS2cB9Kq6mriFuax1o5w3RF23LTJ5ez
steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 02, 2013, 02:01:08 PM
 #135

The waiting is killing me
DublinBrian
Full Member
***
Offline Offline

Activity: 197


View Profile

Ignore
April 02, 2013, 02:37:30 PM
 #136

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS
These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.
steelboy
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
April 02, 2013, 02:38:56 PM
 #137

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

Can anyone help with this?
Rampion
Sr. Member
****
Offline Offline

Activity: 462


View Profile

Ignore
April 02, 2013, 02:39:32 PM
 #138

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS
These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Yeah, in this era of short attention spans Instawallet is perfect to have newbie's coins stolen.

Tell your friends to use blockchain.info's My Wallet for their first pennies, is quite as immediate as Instawallet and much more secure.

PGP KEY - The block size is an intentionally limited economic resource, just like the 21,000,000-bitcoin limit. Changing that vastly degrades the economics surrounding bitcoin, creating many negative incentives. Jeff Garzik.
Carlos L.
Hero Member
*****
Offline Offline

Activity: 798

If there is nothing wrong with it then fix it


View Profile

Ignore
April 02, 2013, 02:40:49 PM
 #139

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
https://www.google.com/search?q="instawallet.org%2Fw%2F"

About 29,400 results were found.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
April 02, 2013, 02:55:10 PM
 #140

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

3. Spelling is a lost art.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!