Instawallet/Bitcoin-Central Security Breach

[molecular]

In short "Keep your private keys private". Rule number ONE in Bitcoin land.

You're storing BitcoinSpinner users private keys in plaintext on their phones. How is this helping them to keep their private keys private?

[1715043216]

1715043216

[1715043216]

1715043216

[1715043216]

1715043216

[dooglus]

Thanks dooglus. Mine was off.

Yes, I think chromium has all it's "spying for google" features disabled by default.

[splat44]

If bitcoin-central.net has an update, I'm sure instawallet will come down the line! Usually this one is very safe!

either way the lesson will be "trust no one to hold your coins".

Seconded

Apparently every new batch of Bitcoiners will need to learn this valuable lesson.

If you aren't the sole controller of your private keys, you don't have any bitcoins.

Take whatever steps necessary to be the sole controller of your private keys people!

In short "Keep your private keys private". Rule number ONE in Bitcoin land.

bitcoin-central.net has updated its message

Still no mention of instawallet 

[Joost]

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

You would be surprised how many people got Google as their home page and type URLs in the page's search box instead of the browser's URL bar...

When you're using Chrome as your browser, (on the default settings) there is no difference between the two. None.

[MysteryMiner]

For first Instawallet URL hack I think the Google Chrome is to blame. I never used Chrome outside VMWare test environment and I recommend anyone not to install Google Chrome on any computer for this privacy reason. If there is any technical need when Chrome is preferred over Firefox, then use SRWare Iron that have all bad things deleted. The use of URL as a private key is not a big security problem because SSL also encrypts the URL and prevents anyone from seeing it, including Tor exit nodes, FBI, etc. As long as the browser history are safe and not compromised, the URL is safe.

I have no idea about second hack. If it is true that the servers are suspected to be compromised, then it might take some time to install new operating system on new hardware, test and secure the setup before it is launched public again.

[steelboy]

For first Instawallet URL hack I think the Google Chrome is to blame. I never used Chrome outside VMWare test environment and I recommend anyone not to install Google Chrome on any computer for this privacy reason. If there is any technical need when Chrome is preferred over Firefox, then use SRWare Iron that have all bad things deleted. The use of URL as a private key is not a big security problem because SSL also encrypts the URL and prevents anyone from seeing it, including Tor exit nodes, FBI, etc. As long as the browser history are safe and not compromised, the URL is safe.

I have no idea about second hack. If it is true that the servers are suspected to be compromised, then it might take some time to install new operating system on new hardware, test and secure the setup before it is launched public again.

So you think if I have used only Firefox in safe mode then it should be all good?

[MPOE-PR]

In short "Keep your private keys private". Rule number ONE in Bitcoin land.

You're storing BitcoinSpinner users private keys in plaintext on their phones. How is this helping them to keep their private keys private?

Ouch.

[Kotcha]

What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication

[steelboy]

What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication

No idea. I switch from positive to negative feelings nonstop. Driving me crazy. :/

One thing for sure though. If it turns out all right I am taking some profits and flying to a beach for a holiday. (Not before I finally get armory working though )

[Joost]

What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication

The lack of communication is definitely disturbing.. I can only assume they havn't got any time for communicating as they've got the entire team working round the clock on this thing, but a little memo every few hours would have been great.

Their predicted 48 hours are nearly running out.. I had hoped to see them back online by now. 

[Kotcha]

I feel your pain steelboy. Kicking myself for not keeping them somewhere more secure, definitely a lesson learnt but hopefully not the hard way!

Yeah the communication has been apalling, and has probably tarnished the company a great deal - it looks like some people have lost A LOT of money, they deserve some sort of explanation. The fact that funds have been moved to this 'Instawallet Cold Storage' address is quite reassuring, unless it's an inside job and they are just stalling 

[twolifeinexile]

What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication

The lack of communication is definitely disturbing.. I can only assume they havn't got any time for communicating as they've got the entire team working round the clock on this thing, but a little memo every few hours would have been great.

Their predicted 48 hours are nearly running out.. I had hoped to see them back online by now. 

Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair.

[Joost]

That's odd. The font used on https://bitcoin-central.net/ and https://paytunia.com/ are different. You'd think they'd just point to the same HTML file..  

Oddly enough, Instawallet still displays the old downtime message. I can only hope this is an indication of priorities 

[steelboy]

I feel your pain steelboy. Kicking myself for not keeping them somewhere more secure, definitely a lesson learnt but hopefully not the hard way!

Yeah the communication has been apalling, and has probably tarnished the company a great deal - it looks like some people have lost A LOT of money, they deserve some sort of explanation. The fact that funds have been moved to this 'Instawallet Cold Storage' address is quite reassuring, unless it's an inside job and they are just stalling 

Cheers mate. Hope you're not in as much as me.

The stalling thing is an option I suppose I just feel that as the owners are known there will be a lot of people ready to kick off if it has gone.

[MysteryMiner]

So you think if I have used only Firefox in safe mode then it should be all good?

Yes. Firefox don't leak URLs unless some malicious add-on or antivirus/firewall does it. And the safe mode for Firefox are not meant to be "safer" mode of operation. It is only for troubleshooting purposes if some add-on or plugin causes it to crash.

The URL leak is not Instawallet fault, I found another service who still have exactly same problems. I did not manage to find any coins in there but it is only matter of time. At least I will work back the coins that have gone with Instastealwallet.

If I'm going to run away with 4000 coins I will not post message that I will be back. I will post something like this: "Na nana nana I got Your coins and You will not see them again, na na nanaana!" together with picture of Eric Cartman.

[hous]

how many coins you got in there steelboy?

I got 30 in there the price was  @ $103 each

now there $130 lol

crazy shit i hope get them back !!!!

[steelboy]

A lot more than that.

Didnt realise how unsafe they were and i just started to realise before Easter that i needed to do something about it.

Started a thread to get some advice about the armory and setting it up, even bought an offline asus on friday ready to get it sorted this week.

Oh well....let's see. 

[hous]

yea not a good place to hold them mate. i was only using it as transporter not a wallet to hold.
 i hope you and every1 else gets them back.
I am leaving my computer at work today otherwise i am up all night waiting to hear something.
My opinon is they had a problem they managed to keep everyones coins safe now there going to profit from it before it goes back live!!

cheers

[Joost]

I got 30 in there the price was  @ $103 each

now there $130 lol

At least you had BTC in there before the steep rise this morning

[steelboy]

yea not a good place to hold them mate. i was only using it as transporter not a wallet to hold.
 i hope you and every1 else gets them back.
I am leaving my computer at work today otherwise i am up all night waiting to hear something.
My opinon is they had a problem they managed to keep everyones coins safe now there going to profit from it before it goes back live!!

cheers

How do you think they can profit from it?