Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 06:49:55 PM Last edit: April 01, 2013, 09:01:59 PM by Injust |
|
Message on their site: Down for Maintenance We have detected a security breach. Services are temporarily suspended until we have thoroughly investigated the situation. We will resume services as soon as possible.
Please do not send funds to your address for the time being.
Stay tuned for further updates, thank you for your understanding. What do you think?
|
|
|
|
the founder
|
|
April 01, 2013, 07:04:21 PM |
|
I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... https://bitcointalk.org/index.php?topic=159673.0However the bug I found only impacted about 3000 of their clients and roughly 100 bitcoins max, what's showing up on that screen is something bigger (at least big enough to shut down the whole freaking site) and most likely unrelated, because mine was just that Google was listing people's wallets.... and they banned it in Google Webmaster tools, so that issue is resolved... that notice though is all sorts of red flags..
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:08:19 PM |
|
I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... https://bitcointalk.org/index.php?topic=159673.0However the bug I found only impacted about 3000 of their clients, what's showing up on that screen is something bigger and most likely unrelated, because mine was just that Google was listing people's wallets.... and they banned it in Google Webmaster tools, so that issue is resolved... that notice though is all sorts of red flags.. Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it
|
|
|
|
the founder
|
|
April 01, 2013, 07:09:19 PM |
|
Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. see under each url there is a "a description not available due to robots.txt" but they still listed the freaking urls.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
April 01, 2013, 07:12:44 PM |
|
I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:14:11 PM |
|
Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. see under each url there is a "a description not available due to robots.txt" but they still listed the freaking urls. AFAIK, that's behind the configuration of the robots.txt file. It should be capable of being configured so that the Google bot doesn't even visit the domain
|
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:14:43 PM |
|
The maintenance notice is identical. This suggests the same team is running both. And yes, it IS the same team.
|
|
|
|
moni3z
|
|
April 01, 2013, 07:15:03 PM |
|
yep, and instawire.org which disappeared for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago?
|
|
|
|
steelboy
|
|
April 01, 2013, 07:16:54 PM |
|
Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. I don't understand any of this robots stuff :/ Basically, was the problem you uncovered something that could see urls then? I only ever check my instawallet through tor. I am a little worried at the moment, should I just chill out?
|
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:17:43 PM |
|
I just hope that Instawallet has a backup of how many Bitcoins belong to how many people and each URL I have only BTC0.012, but that's a lot to me Considering that I'm a faucet loiterer and penny dust collector
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
April 01, 2013, 07:18:20 PM |
|
this doesn't sound good at all.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
steelboy
|
|
April 01, 2013, 07:19:32 PM |
|
this doesn't sound good at all.
Literally shitting myself
|
|
|
|
mccorvic
|
|
April 01, 2013, 07:19:51 PM |
|
I am a little worried at the moment, should I just chill out?
Too early to tell, but either way the lesson will be "trust no one to hold your coins".
|
|
|
|
steelboy
|
|
April 01, 2013, 07:21:37 PM |
|
But there were 3.5million wallets. Is it just limited to 3000?
|
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:21:40 PM |
|
The maintenance notice is identical. This suggests the same team is running both. Injust, the solution to this problem is not robots.txt. The solution is not using URLs as private keys in the first place. Well, I guess that Instawallet's way of doing things was for convenience, rather than security. Not that security isn't important, but still.
|
|
|
|
mccorvic
|
|
April 01, 2013, 07:22:47 PM |
|
But there were 3.5million wallets. Is it just limited to 3000?
We don't know if the problem is related to that, or another problem entirely. We don't know if coins were stolen, lost, looked at, fondled, or licked. Just have to wait for official statements at this point.
|
|
|
|
Injust (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
April 01, 2013, 07:24:49 PM |
|
If this is davout's kind of an April Fools' joke, I'm never using Instawallet again. Promise.
|
|
|
|
moni3z
|
|
April 01, 2013, 07:27:08 PM |
|
I don't use instawallet anyways. If you want quick transactions download Electrum client, or just use the regular ol' Bitcoin-qt because we all learned our lesson from mybitcoin right
|
|
|
|
dree12
Legendary
Offline
Activity: 1246
Merit: 1077
|
|
April 01, 2013, 07:27:15 PM |
|
But there were 3.5million wallets. Is it just limited to 3000?
We don't know if the problem is related to that, or another problem entirely. We don't know if coins were stolen, lost, looked at, fondled, or licked. Just have to wait for official statements at this point. We know that they think that it is ok to have authorization information in clear text in URL to allow access to financial accounts. This tells you all you need to know. Whomever runs it has no clue. The system would be perfectly secure if not for Google Chrome.
|
|
|
|
bitcoinnix
Newbie
Offline
Activity: 56
Merit: 0
|
|
April 01, 2013, 07:28:42 PM |
|
Literally shitting myself
Literally?
|
|
|
|
|