Instawallet/Bitcoin-Central Security Breach

[repentance]

Dude come on, this is the problem of the whole fucking society.
People just blaming each other because they don't have the balls to take responsibility for it themselves.
If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself.

If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it.
You are always the only one responsible for your own actions.

In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it.

Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution.

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.

[1714133243]

1714133243

[1714133243]

1714133243

[lucb1e]

The bitcoin-central website seems to be changing often. First the site's https was down, then it was serving a http connection over https port (results in firefox in record too long or something), then error 500, now the message is back. It looks like they're changing physical location or even physical server (changing certificate, reconfiguring webserver, perhaps an IP change).

Getting worried about the severe lack of communication

I find that strange too, though I'm not sure if it should really have us worried. At least the bitcoin-central users, I have a worse feeling about instawallet. But I'm not involved with instawallet at all and I'm not checking on that all day, so my feeling could easily be wrong.

Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair.

I think if anyone had, they are friends and are told things in confidence, or acquaintances are told the same as everyone. If they're not talking, it's most likely that nothing is supposed to come out... And I think they're reading this topic at least once or twice a day, if something was to be said they'd have said it. Maybe (like someone else suggested) they're not talking for the case that they are wrong. Official statements are always taken as promises, even if it's not said anywhere (and for a good reason, but that might be why they're silent).

[HATA28]

...

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.
Also, if you are aware of the vulnerability than what would stop you from immediately withdrawing all you funds... I am not saying Paymium didn't make any mistakes, Im just saying Do what ever you can to protect your funds, and if you don't, take responsibility for it.

[Joost]

This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.

The volume is/was hardly influential. Mtgox didn't even notice when Bitcoin Central went down.

[repentance]

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.

[dree12]

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.

Hear hear. So many people here are against regulation. Until people become accustomed enough to regulate companies themselves, more regulation is good for Bitcoin.

[HATA28]

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

[TheButterZone]

Trying to figure out the logic of the statement and claims process.

Assuming everyone's Instawallet BTC was moved to cold storage (as all received TXs seemed to be moved off your BTC address shortly after receipt), and this was a database hack, the hacker just obtained the secret URLs and the BTC balances of all of them? Unless the hacker ALSO coded some kind of script to access every secret URL, withdraw entire balance on each of them via whatever method Instawallet had for withdrawing them out of cold storage, then this would explain why there is a 90 day claims process at all. Basically Instawallet has to make sure only one person is claiming each secret URL, and then detect a pattern of similar double claims; the one doing the double claims for more than maybe 3 secret URLs or >50 BTC is the hacker?

[HATA28]

It is not sure yet, that the security was compromised by leaking the instawallet url's.
It could be something completely different.
Also, they didn't say it is going to take 90 days to refund; after 90 days you will be autorefunded (<50btc).
You will most likely get your bitcoins back a lot faster if you file a claim.

[Rampion]

No news from davout?

[repentance]

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  

For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.

After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.

1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.

[greyhawk]

At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.

[HATA28]

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  

For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.

After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.

1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.

Okay, you are totally right, I did not read carefully enough (missed "other" and "same"). I thought they meant they were going to refund if you file a claim, and refund automatically if you didn't claim anything at all. I have never used instawallet and I have never even seen the website. I only have a slight idea on how its working, so I think its time for me to shut up about this. 

At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.

Maybe I am. Why don't we find out in the next couple of days...

[joepie91]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.

[repentance]

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.

Even worse is that they knew this flaw was being discussed publicly, as was the StrongCoin flaw.  You can't assume that every user will read thread about security flaws but services themselves should make it their business to know when such discussions are taking place.

[makomk]

The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture.

Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.

Fucking maroons. For this to be true, they'd have to be storing the raw, unhashed keys from the URLs, and there's not really any good reason why they should do things this way. Simply hashing the URLs would have made it difficult or impossible for someone who got hold of the database to imitate account holders.

[panoss]

bitcoin central is back

[Injust]

Note from bitcoin-central.com and paytunia.com:

[Apr-03 7:00PM CET]

We are still working on bringing the service back up: we expect to resume operations within the next 48 hours.

A lot of people have asked about the state of orders currently pending. Due to the recent and important price fluctuations we will cancel some outstanding orders before reopening. For example if the average price stays above 100 EUR/BTC we will cancel all asks below 110 EUR/BTC. No trades will be reversed.

We also don't want to take anyone by surprise and as such will give a 24h notice before trades start to get executed again.

During these 24 hours you will be able to place and cancel orders. When the trading engine gets restarted they will be executed in the order they were placed.

Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption.

The deposits received while the service was interrupted will be added to your balance during the 24h notice time.

[panoss]

It is only referring to the open orders!As everything else is  OK?

[Phinnaeus Gage]

sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Therefore, all the NPO/NGOs I emailed with InstaWallet.org in the text will look upon Bitcoin as a farce if they happen to click the link.

Currently on Page 8 of this thread, hoping there's good news by the time I get to Page 14.

So far it's looking like this'll be the first time I lose bitcoins via another entity. The ONLY saving grace is that it was all profit, but then again so is close to 100% of all the barn wood I currently have in stock, but would hate it if the buildings burned down or I was ripped up off of the entire lot.

I'm holding my tongue till I reach the end of this thread.

Madness!!!

~Bruno K~