Bitcoin Forum
March 04, 2015, 08:18:31 PM *
News: Latest stable version of Bitcoin Core: 0.10.0 [Torrent] (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 70312 times)
iCEBREAKER
Hero Member
*****
Offline Offline

Activity: 868


Crypto is the separation of Power and State.


View Profile WWW

Ignore
April 02, 2013, 03:53:44 AM
 #121

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...

Legit Altcoin Whitelist:  Litecoin, Primecoin, Monero, Boolberry, Cryptonite, Viacoin, and DarkNote
Legit = Innovative, 100% Proof of Work, 100% open source, 0% premine, and fairly launched
BTC=Gold  LTC=Silver  XMR=Platinum  BBR=Palladium  XPM=Nickel  XCN=Copper  VIA=Zinc  XDN=Aluminium

"Current payment systems simply can’t compete with bitcoin’s fees, security and convenience.  As a currency, no sovereign can match it.  As a payment system, no financial institution can compete with it.  As a distributed network, no government can stop it."     -Chris Horlacher
1425500311
Hero Member
*
Offline Offline

Posts: 1425500311

View Profile Personal Message (Offline)

Ignore
1425500311
Reply with quote  #2

1425500311
Report to moderator
1425500311
Hero Member
*
Offline Offline

Posts: 1425500311

View Profile Personal Message (Offline)

Ignore
1425500311
Reply with quote  #2

1425500311
Report to moderator
1425500311
Hero Member
*
Offline Offline

Posts: 1425500311

View Profile Personal Message (Offline)

Ignore
1425500311
Reply with quote  #2

1425500311
Report to moderator

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1425500311
Hero Member
*
Offline Offline

Posts: 1425500311

View Profile Personal Message (Offline)

Ignore
1425500311
Reply with quote  #2

1425500311
Report to moderator
1425500311
Hero Member
*
Offline Offline

Posts: 1425500311

View Profile Personal Message (Offline)

Ignore
1425500311
Reply with quote  #2

1425500311
Report to moderator
Severian
Sr. Member
****
Offline Offline

Activity: 476



View Profile

Ignore
April 02, 2013, 04:54:11 AM
 #122

Google: Your business is our business.
The-Real-Link
Hero Member
*****
Offline Offline

Activity: 530



View Profile

Ignore
April 02, 2013, 05:24:08 AM
 #123

I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.

Oh Loaded, who art up in Mt. Gox, hallowed be thy name!  Thy dollars rain, thy will be done, on BTCUSD.  Give us this day our daily 10% 30%, and forgive the bears, as we have bought their bitcoins.  And lead us into quadruple digits
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile

Ignore
April 02, 2013, 06:23:00 AM
 #124

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Does the same apply to Chromium?

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
dooglus
Legendary
*
Offline Offline

Activity: 1358



View Profile

Ignore
April 02, 2013, 06:31:31 AM
 #125

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:


jcdf
Newbie
*
Offline Offline

Activity: 14


View Profile

Ignore
April 02, 2013, 06:40:07 AM
 #126

I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile

Ignore
April 02, 2013, 08:07:43 AM
 #127

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

Thanks dooglus. Mine was off.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
steelboy
Sr. Member
****
Offline Offline

Activity: 476



View Profile

Ignore
April 02, 2013, 09:08:44 AM
 #128

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?
DublinBrian
Full Member
***
Offline Offline

Activity: 197


View Profile

Ignore
April 02, 2013, 10:24:12 AM
 #129

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.
Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.


MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
April 02, 2013, 10:52:47 AM
 #130

he can include them in the same block

Ah right you are, it didn't occur to me.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Atruk
Hero Member
*****
Offline Offline

Activity: 700



View Profile

Ignore
April 02, 2013, 11:35:02 AM
 #131

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Speculation, but justified.

Chrome is the ultimate spyware

greyhawk
Hero Member
*****
Offline Offline

Activity: 840


View Profile

Ignore
April 02, 2013, 11:48:49 AM
 #132


Chrome is the ultimate spyware

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.

Stop sending me Bitcoins! 1HNLqLrPEwMk8woA91qwX9sRkatRfQik2T
Click here to get hacked
Rampion
Hero Member
*****
Offline Offline

Activity: 742


View Profile

Ignore
April 02, 2013, 01:34:43 PM
 #133

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

PGP KEY - The block size is an intentionally limited economic resource, just like the 21,000,000-bitcoin limit. Changing that vastly degrades the economics surrounding bitcoin, creating many negative incentives. Jeff Garzik.
d5000
Hero Member
*****
Offline Offline

Activity: 700



View Profile

Ignore
April 02, 2013, 01:56:23 PM
 #134

Bitcoin-Central about a minute ago again showed me the normal light-blue design, but with an "Internal Server Error". Now they have restored the "Maintainance" message.

Seems they will be up again soon.

steelboy
Sr. Member
****
Offline Offline

Activity: 476



View Profile

Ignore
April 02, 2013, 02:01:08 PM
 #135

The waiting is killing me
DublinBrian
Full Member
***
Offline Offline

Activity: 197


View Profile

Ignore
April 02, 2013, 02:37:30 PM
 #136

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS
These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.
steelboy
Sr. Member
****
Offline Offline

Activity: 476



View Profile

Ignore
April 02, 2013, 02:38:56 PM
 #137

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

Can anyone help with this?
Rampion
Hero Member
*****
Offline Offline

Activity: 742


View Profile

Ignore
April 02, 2013, 02:39:32 PM
 #138

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS
These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Yeah, in this era of short attention spans Instawallet is perfect to have newbie's coins stolen.

Tell your friends to use blockchain.info's My Wallet for their first pennies, is quite as immediate as Instawallet and much more secure.

PGP KEY - The block size is an intentionally limited economic resource, just like the 21,000,000-bitcoin limit. Changing that vastly degrades the economics surrounding bitcoin, creating many negative incentives. Jeff Garzik.
Carlos L.
Legendary
*
Offline Offline

Activity: 1064


View Profile

Ignore
April 02, 2013, 02:40:49 PM
 #139

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
https://www.google.com/search?q="instawallet.org%2Fw%2F"

About 29,400 results were found.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile

Ignore
April 02, 2013, 02:55:10 PM
 #140

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

3. Spelling is a lost art.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!