Instawallet/Bitcoin-Central Security Breach

[Phinnaeus Gage]

davout give us a shoutout PLEASE We wanna know what your doing!!!!!!!!!!!!!!!!!!!!
 

YOU GOTTA BE FUCKIN' KIDDIN' ME!!!

Name:   davout
Posts:   2744
Position:   Staff
Date Registered:   October 17, 2010, 06:01:12 AM
Last Active:   April 02, 2013, 10:16:50 AM

I hope I'm calmed down before I get to the end of this thread, otherwise I WILL be asking for an address, and not the BlockChain kind.

[1713954913]

1713954913

[1713954913]

1713954913

[Nicolai]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.

I totally agree with your last line, but "a fucking stupid idea" != security flaw.
Just like when a website create a recover link: blah.tld/recover.php?secret=SomEtHingRandom, as long as I don't share this link, then only I and the website know the link, so only I can change my password/recover my user. THIS IS NOT A SECURITY FLAW.

However, if I share this link with world+dog (public internet) - and a lot of people did this, by sharing their *PRIVATE URL* with everyone on the public internet - then everybody can "hack" me. But this is NOT due to a security flaw in the website! This is due to a human error, because someone shared their private urls (not a security flaw in the website and will never be).

The "flaw" first discussed in instawallet (which wasn't even a flaw) was simply because Google allow everyone to easy see this list of PUBLIC SHARED URLS by typing the command "site:" in Google. It is STILL possible to get this list, by simply changing "site:" to e.g. "allintext:" (proof) however now you manually have to visit every site on the list and dig out the instawallet link (before Google would do this for you).

It is best practice to tell Google: "please don't make this list _easy_ accessible", however you and everyone else will always be able to find "the list" (and the list will always exist, as long as people share their urls with everyone). It is NOT a security flaw in any website, that you can find this list (assuming the list only consist of private urls leaked by users, not the website).

Had Instawallet leaked just one link, then this had been a security flaw, but they DIDN'T. Not a single link.

And can we now please stop talking about this silly "mistake" (it's not even a flaw - and you would NEVER be able to use it, to hack Instawallet), and actually focus on THE REAL HACK. Please?

[Phinnaeus Gage]

They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!!

Source?

the website now updated with the notice.

I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot.

INSTAWALLET SERVICE NOTICE

The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture.


Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.


In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Important information on claims submission:

1.For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.
2.After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.
3.Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.

From http://notice.instawallet.org/

Somebody fuck me in my ass and then stick your dick in my mouth, for I'm sure I'll enjoy that much better than what I've just read.

I've read that he's probably in Paris, so so much for a road trip. Is there anybody in Paris that can at least visit the address provided to glean any viable information?

I will blow my fuckin' top if I learn that my close friend and a dear client (2 separate individuals) have coins tied up on InstaWallet.org after I went out on a limb to assure them that they need not worry giving my personal guarantee.

This is so fucked up on so many levels.

Back to page 10, or is it 11?

~Bruno K~

[Phinnaeus Gage]

Hope you learnt an important lesson: NEVER TRUST ONLINE WALLETS WITH MORE THAN POCKET MONEY.

And remember that what's pocket money today, can be retirement money tomorrow

No Mother Fuckin' Kidding!

[Phinnaeus Gage]

It seems every generation of bitcoiners just has to learn hard lessons on their own. FFS if experienced bitcoiners like so not modest myself who warned other about exactly this shit long before mybitcoin fiasco tells you TRUST NO ONE. Pay fucking attention next time.

It never works Vlad, they never listen.

Stick two dicks up my ass, for it's quite obvious that I didn't listen.

Also...

Q: I forgot my URL, can you help me?

A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests.

Somebody tell me then how the hell are they going to be able to return funds given the above?

[Phinnaeus Gage]

Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time"

"run away" includes "getting 'hacked'"

It is basically the same as amount of mined bitcoins asymptotically approaches 21 million.

People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones.

Store not only encrypted images but truecrypt distribution/installation too.

This is all you need to know and do.

Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks.

Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount.

Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do.

Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further.

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

[justusranvier]

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

11000 posts and you never came across a thread explaining how to set up a secure paper wallet?

[repentance]

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.

[Phinnaeus Gage]

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

11000 posts and you never came across a thread explaining how to set up a secure paper wallet?

I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece.

I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things.

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

EDIT: Ironically, we cross-post:

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.

[repentance]

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

They previously stated that they had exclusive control of the wallet and that user funds were safe.  They've said nothing so far to indicate that's not still the case.  The issue here seems to be how they return funds to legitimate users when the database has been compromised.  You're obviously going to fall into the "case by case" category, but at this stage they're saying they can start returning funds after a 90 day claim period and not that there are missing funds.

In my opinion, they need to make very clear that no user funds have been lost (or none that they can't replace out of their own pockets) if that's the case.  If user funds have been lost then they need to be truthful about that because no-one wants to sit around thinking they're going to get their funds in 90 days only to find in 3 months time that there's a shortfall.

[SgtSpike]

Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time"

"run away" includes "getting 'hacked'"

It is basically the same as amount of mined bitcoins asymptotically approaches 21 million.

People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones.

Store not only encrypted images but truecrypt distribution/installation too.

This is all you need to know and do.

Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks.

Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount.

Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do.

Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further.

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

I'll just say that the Bitcoin-QT wallet is incredibly easy to set up (pretty much just click install, and it's done), and it is reasonably secure once you password protect it.  The downside is just that it takes a number of hours to synchronize, and it does take up some ram and a decent amount of HDD space.  But that's a small sacrifice to make to have full control over your coins.

Davout seems to be a standup guy.  I'd be surprised if you didn't get the vast majority of your funds back, given how much of instawallet's funds were sitting in a cold wallet.  But certainly, put more effort into making sure your coins are secure down the road, especially when you have enough to buy a house with!

[Twerka]

I lost 0.02 BTC , even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.

[repentance]

I lost 0.02 BTC , even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.

I think they've done a lot wrong, but right now there is no evidence whatsoever that anyone's funds have been "stolen".

[avegetable]

Would it be a good idea for victims to find out which address (or addresses) they used to transfer their BTC to Instawallet, and immediately sign a message, to prove that they control that bitcoin adddress, if possible?

This wouldn't prove that they own the funds at Instawallet (they might only be somebody who sent BTC to the real owner) but it would help Instawallet to more easily sort out claims into 'probably true' and 'probably false'.

That's because scammers won't be able to prove that they sent any bitcoins in to the Instawallet address that they claim to own. And somebody who really did send bitcoins into another person's address isn't likely to have the knowledge, or the desire, to scam them later (though it's not impossible, if a large sum is at stake, so Instawallet would still need to review the case and other evidence)

I don't have anything stored at Instawallet. I'm just thinking it would be best for victims to prove as soon as possible that they control any sending addresses, in case they're not able to do that later (for example, they could delete their wallet, or overwrite keys, accidentally or because they think it's not important any more)

Does this idea help?

[cho]

Q: I forgot my URL, can you help me?

A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests.

Somebody tell me then how the hell are they going to be able to return funds given the above?

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed : "I have to be strict about this, as I would otherwise open myself to social engineering attacks" would have been "it is physically impossible for me to do so since we do not store your URLs unencrypted, and are thus unable to recover them, whatever the circumstances".
Am I wrong ?

[psilos]

Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.

[psilos]

I quote a part from an article appeared in "bitcoinmagazine" (http://bitcoinmagazine.com/instawallets/) regarding pros and cons about using instawallet:

Because of Instawallet’s “URL as password” mechanism it’s the least secure of all the options. Instawallet themselves recommend that users “please do not store more than some spare change here” for casual use.


Instawallet people themselves recommended their clients not to store large amount of bitcoins. This shows some honesty.

[piramida]

14,000 total coins were stored in instawallet? Lost faith in humanity once again

[steelboy]

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

11000 posts and you never came across a thread explaining how to set up a secure paper wallet?

I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece.

I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things.

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

EDIT: Ironically, we cross-post:

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.

Looks like me and you are in the same boat Phinnaeus, nice to meet you. Shame it couldn't have been under better circumstances.

Ok, I have been doing some analysis/thinking about the situation and am feeling (relatively) positive. Ladies and gentlemen, if you would care to indulge me.

INSTAWALLET DEBACLE 2013

Firstly i have made some assumptions

1. The people behind Instawallet are honest and want to return the money to their rightful owners.

I have assumed this based on the fact that they have their public profiles on record, some of them have been directors of big multinational companies (Orange), they have other businesses which i believe they want to keep earning them money and finally they probably realise that a higher percentage of the bitcoin userbase compared to the general public might go after them personally if the money was not returned. (Based on the fact that the currency is underground and only recently surfacing to most people).

Besides this, if we assume they are dishonest then our money might as well be gone anyway. :/

2. Everybody who had money in instawallet now realises the error of their ways and will be using a paper wallet rolled up into a tube and inserted anally at all times.

Some of the people here have lost a fair bit of money and the I told you so's are a little annoying. I for one will invest a few bitcoins in awareness of this problem for newbies if i get my money back.

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

• All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
• All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
• A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
• All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
• A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

4. The hacker has already stolen something?

Now this i am not sure of. I feel that the wording of their agreement leads us to believe that some has gone but not all. If this is the case, when was it stolen? If it was only stolen in the last few days then maybe a date-stamped document in Time Machine (Mac recovery service) would be enough to prove that you have held the URLS for a while?

CONCLUSION

After all this we can conclude that if we claim back on an address and find that all large amounts are being double claimed we can be sure that the first option in section 3 is probably true.

If this is not the case then i think the chances of double claiming go down and we can hope to see our money again.

You never know, a 90 day force holding period might be a blessing in disguise.

What do you guys think?

[psilos]

Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.

Instawallet did not have any form of security. Anyone knowing the url of a wallet could have withdrawn all its funds. (basically anyone gaining some form of access to the server could read the http log file and get hundreds of wallets)

Bitcoin Central has/had :
- a login/password system
- an optionnal double authentication mecanism
- a KYC politics requiring people wishing to put more than x euros (x=250 or 1000€ I don't remember) or the equivalent in BTC to identify themselves with name, address and a proof of identity.

I would like to know the conceptual difference between bitcoin-central and instawallet. After an extensive discussion here in the topic, I learnt about the security gaps but why someone woudl prefer to keep the bitcoins in Instawallet rather than in bitcoin-central?