Instawallet/Bitcoin-Central Security Breach

[Kotcha]

Anyone else having problems accessing the Instawallet site atm? Getting these errors in Firefox and Chrome...   

This Connection is Untrusted
     
 
You have asked Firefox to connect
securely to www.instawallet.org, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
       
What Should I Do?
         
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

This is probably not the site you are looking for!
You attempted to reach instawallet.org, but instead you actually reached a server identifying itself as *.bitcoin-central.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of instawallet.org.
You cannot proceed because the website operator has requested heightened security for this domain.

[dooglus]

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...]

Am I wrong ?

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.

[dooglus]

• All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away

It's probablye that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

• All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one.
  

I'm pretty sure that instawallet was a shared wallet, so blockchain analysis doesn't tell you the balance of any of its accounts.  You can find all the deposits to a given address, but can't tell anything about the withdrawals from it.[/list]

[Joost]

14,000 total coins were stored in instawallet? Lost faith in humanity once again

Given how low the threshold was to start a wallet there, this could be spread over thousands of people. Judging by Phil's posts above, though, this is hardly the case 

[🏰 TradeFortress 🏰]

And learn your lesson - use blockchain.info, bitcoin-qt, electrum, whatever.

[trout]

It's probably that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

I don't think the hot wallet was emptied.
If you look at the transaction history of their cold wallet, 1FrtkNXastDoMAaorowys27AKQERxgmZjY
you see that 6 transfers totalling 320BTC were made *to* this wallet, just prior to its subsequent
evacuation into 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  (together with bitcoin-central funds).
You can also notice that this is a very unusual pattern for them to put money into cold storage: usually it's 1 transaction every few days; not several transactions in quick succession.

What is more, among these 6 transactions, is the address of my instawallet, to which I transferred
the funds about 6 hours before.  (I was  unlucky to try to tumble some coins through instawallet in the worst
possible moment.)


So from this it's quite clear  that not all hot-wallet money were stolen. Probably the hacker accessed
the database from where it was not supposed to be accessed, and that triggered the alarm.
How many URLs he got and how many he tried to empty we don't know.

[Nicolai]

Having password in URL is a security flaw. It opens obvious attack vectors with very high probability of being exploited sooner or later. Information Security is all about risks and probabilities. Everything that increases risk is a "security flaw" to some degree.

No it is not. What you don't get, is that there is a huge difference between "not following best practice" and "having a security flaw in your website". The reason why the "password in url" was described as a "security flaw", was because 'the founder' (a user) wanted it to look worse than it was (so Instawallet would look more bad for not paying him, even trough it was public knowledge that this was possible loooong before 'the founder' even "found" this).

Instawallet had a security flaw that got them hacked (this incident, we don't know how, but we do know that it had NOTHING to do with "password in url"), however the "password in url" was just a case of "not following best practice" (NOT a security flaw). It is just like when a websites uses a simple username+password combination to authenticate users, instead of a "zero-knowledge password proof"-protocol. Most websites use the lesser-secure username+password, but this doesn't mean you should create a forum post for each website, whining that you told all the websites on the internet that ZKPP is better and now you want a cookie + pay check ( <-- this was what 'the founder' did).

So to sum up, it is not a security flaw/exploit, if you can't exploit/get access to *anything*, without requiring the users to tell you their passwords (<-- this is ofc just very simplified, but the point is that if your exploit is "give me your shared secret, and I can authenticate as you" then it isn't a exploit, it is a intend behaviour. You could argue "why use a shared secret, why not something else and more secure?" but it still wouldn't be a security flaw. Not now, not ever).

[...]

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

• 1) All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
• 2) All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
• 3) A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
• 4) All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
• 5) A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

[...]

What do you guys think?

I agree on most parts, but:

2) Actually "2" would be almost like "1". It wouldn't be time consuming at all, because you can just write a parser to parse the blockchain and sort by amount (change a bit here and there, and this source code + the blockchain, is all you need).

3) As I wrote earlier, then this is 100% without any doubt NOT the case.

[DavinciJ15]

HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!

[Joost]

HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!

Keep your calm and learn to read.

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

[hous]

Hi please fill in this claim form if you lost instawallet funds here.......



YOUR URL password .....


your bitcoin address....



YOUR BALANCE:   


Your Email address that you made your first complaint with......

[cho]

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...]

Am I wrong ?

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.

Good point.
Little hints like that FAQ entry, the lack of a proper robots.txt, are instilling in my mind little particles of doubt about the technical abilities of our bitcoin-central friends.

[DavinciJ15]

Keep your calm and learn to read.

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Thanks but you know how it is when your upset you read it but your brain did not register it.

[DobZombie]

I understand that instawallet was a piece of shit and needed to close but...

What the fork has that got to do with bitcoin-central?!?

I just put some BTCBTCBTC in there.

I go to the bitcoin-central page and it now says INSTAWALLET at the top of it.

This stinks of bullshit

[psilos]

I understand that instawallet was a piece of shit and needed to close but...

What the fork has that got to do with bitcoin-central?!?

I just put some BTCBTCBTC in there.

I go to the bitcoin-central page and it now says INSTAWALLET at the top of it.

This stinks of bullshit

Guys, just try to stay calm and read the whole thread before posting and blaming.

The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank  which can restore theirs system in few hours . So be patient.

[tvbcof]

Keep your calm and learn to read.

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Thanks but you know how it is when your upset you read it but your brain did not register it.

I've deliberately not used my instawallet URL until some word that the claims process is in place.  I want to know what info is going to be required, then 'log on' one time and get it done with.

What is annoying is that ~davout mentions that the first claimant will be given preference, but does not say when things will be ready.

One thing that these guys might think about doing would be to allow users to PM or e-mail them with a heads-up that they are going to be filing a claim for XYZ wallet.  For us user who had one wallet that should reduce fraud quite a bit (under a situation where an attacker managed to get a hold of a large collection of URL's somehow.)

[steelboy]

I wonder if going to Paris and trying to visit their office would be any use.

I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out.

Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full

I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine.

Seriously though, I think for he cost involved it can only be a good idea to get a bit of info.

[DobZombie]

I understand that instawallet was a piece of shit and needed to close but...

What the fork has that got to do with bitcoin-central?!?

I just put some BTCBTCBTC in there.

I go to the bitcoin-central page and it now says INSTAWALLET at the top of it.

This stinks of bullshit

Guys, just try to stay calm and read the whole thread before posting and blaming.

The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank  which can restore theirs system in few hours . So be patient.

I did read the whole thread.  I've been following it post by post for the last few days.

I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed.

see my issue now?

[psilos]

I understand that instawallet was a piece of shit and needed to close but...

What the fork has that got to do with bitcoin-central?!?

I just put some BTCBTCBTC in there.

I go to the bitcoin-central page and it now says INSTAWALLET at the top of it.

This stinks of bullshit

Guys, just try to stay calm and read the whole thread before posting and blaming.

The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank  which can restore theirs system in few hours . So be patient.

I did read the whole thread.  I've been following it post by post for the last few days.

I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed.

see my issue now?

What makes you say that " I m just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed."  ?  

Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption.

This is the latest update in bitcoin-central

[psilos]

I wonder if going to Paris and trying to visit their office would be any use.

I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out.

Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full

I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine.

Seriously though, I think for he cost involved it can only be a good idea to get a bit of info.

Are you sure you know where their offices are?

[steelboy]

I wonder if going to Paris and trying to visit their office would be any use.

I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out.

Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full

I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine.

Seriously though, I think for he cost involved it can only be a good idea to get a bit of info.

Are you sure you know where their offices are?

No. But the phone number above got through to Davout and as mentioned before the board members seem credible. Got to be worth a few hundred quid to find out.