Instawallet/Bitcoin-Central Security Breach

[iCEBREAKER]

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:

If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...

[Severian]

Google: Your business is our business.

[The-Real-Link]

I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.

[caveden]

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:

If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Does the same apply to Chromium?

[dooglus]

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

[jcdf]

I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.

[caveden]

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

Thanks dooglus. Mine was off.

[steelboy]

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

[DublinBrian]

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.

Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.

[MPOE-PR]

he can include them in the same block

Ah right you are, it didn't occur to me.

[Atruk]

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Speculation, but justified.

Chrome is the ultimate spyware

[greyhawk]

Chrome is the ultimate spyware

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.

[Rampion]

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

[d5000]

Bitcoin-Central about a minute ago again showed me the normal light-blue design, but with an "Internal Server Error". Now they have restored the "Maintainance" message.

Seems they will be up again soon.

[steelboy]

The waiting is killing me

[DublinBrian]

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

[steelboy]

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

Can anyone help with this?

[Rampion]

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Yeah, in this era of short attention spans Instawallet is perfect to have newbie's coins stolen.

Tell your friends to use blockchain.info's My Wallet for their first pennies, is quite as immediate as Instawallet and much more secure.

[ingrownpocket]

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

https://www.google.com/search?q="instawallet.org%2Fw%2F"

About 29,400 results were found.

[MPOE-PR]

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

3. Spelling is a lost art.