How I shut down instawallet

[the founder]

In Late March of 2013, I published an open letter to Instawallet and the whole team at Paymium.

The problem that was exposed was the fact that Google was listing all their private URLs. A few weeks later Instawallet was shut down.

What I discovered was actually only the tip of the iceburg.

http://www.adaptiveglass.com/?p=762

[coastermonger]

This is one of those issues that would have been discovered sooner or later, but we should be especially glad that you discovered it before someone with more malicious intent did.  It's a hard lesson for any online wallet service.

[Este Nuno]

I remember your first post about it.

They way they just brushed you off...now look what happened.

[Este Nuno]

This is one of those issues that would have been discovered sooner or later, but we should be especially glad that you discovered it before someone with more malicious intent did.  It's a hard lesson for any online wallet service.

They didn't stop it. He published the post and Instawallet shut down a little while after. I would bet a lot of people raided wallets while they could.

[Phinnaeus Gage]

In Late March of 2013, I published an open letter to Instawallet and the whole team at Paymium.

The problem that was exposed was the fact that Google was listing all their private URLs. A few weeks later Instawallet was shut down.

What I discovered was actually only the tip of the iceburg.

http://www.adaptiveglass.com/?p=762

I was all ears and eyeballs when the URL concern was at it's peak, of which you were kind enough to point out the exploits.

My inital estimates were WAY off. Google only showed about 100 or so bitcoins in the index. Whereas when reading forums and reddit, I found that Bing, Yahoo and others had thousands of urls containing tens of thousands of bitcoins.

I asked tough questions, so I thought, but my concerns were laid to rest, opting to not pursue it further due to the respect I had for the principals.

I quoted the above to state that I did find a many funded addresses via Bing and Yahoo, unaware that such were being discussed on other forums, reddit, etc. The idea just came naturally to me. Upon seeing for myself that it was true (not touching a single coin belonging to others), is when I started expressing my concern.

I had way too many bitcoins on InstaWallet, even though I was well aware of consequences, but I trusted the crew who manned it, just like I would trust theymos, Roger, or Rassah, to have control of my bitcoins if they happened to be running some similar site.

With my concerns alleviated, I didn't think much more about IW, until the 2-3 days after the dam broke, and only brought to my attention by greyhawk via some other thread.

My questions and concerns were then not addressed by Boussac, with davout nowhere to be found during that timeframe. I then went into vial mode, of which probably didn't help matters. Now, I'm in wait-and-see mode, hoping for the best.

At one time, I had over a quarter of a million dollars worth of bitcoins on IW in three wallets: 1000 BTC; 123.xxx or 132.xxx BTC (honestly don't remember, but submitted the 123.xxx BTC amount to be fair, not knowing what the xxx...'s are); and .84 BTC.

I honestly don't know if losing such a large sum justified my rant, for I've never been in a similar situation before, thus not knowing how to properly act. I finally settled down, realizing that that would probably be the best course of action, coupled with I wouldn't be out that much, if any, real money if the worse case scenario comes to past. But if it does, I will be screaming at the top of my lungs as if I did lose a fortune.

[Este Nuno]

At one time, I had over a quarter of a million dollars worth of bitcoins on IW in three wallets: 1000 BTC; 123.xxx or 132.xxx BTC (honestly don't remember, but submitted the 123.xxx BTC amount to be fair, not knowing what the xxx...'s are); and .84 BTC.

Wow, I remember you mentioning you had a nice "nest egg" on there...jeez.

Hope it all works out for you.

[tvbcof]

The initial report seemed a non-issue to me personally, but it had the effect of reminding me to move some value out of Instawallet.  Due to BTC valuation rise, my 'spending money' value had gone from $100-ish range to multiple thousands and I had not gotten around to re-distributing it.

So, I can thank the original reporter for halving my losses (in the event that they turn out to be total losses come July or whatever.)

I do suspect that I was not alone in removing funds from Instawallet.org.  The attacker (be it an insider or external party) may well have been in possession of the database and the URL's for some time and was waiting for an opportune time to capitalize.  It would make sense for the attacker to sit on his hands while money was flowing in the inward direction.

It also would make sense to choose an attack time when the hot wallet(s) backing the solution were well funded.  If the operators got tired of transferring cold storage to hot wallets (which, one would hope, would be a tedious task) they make have picked a fairly high value in light of the outflows of which I was a part.

One way or another Paymium was in the best case negligent not only in operating a system which was exploitable (and I understand that very skilled attackers were probably working on it) but separately in that they put enough funds at risk to call into question their solvency.  The latter was a novice mistake in my opinion.

I had a pleasant chat with Boussac at the conference which I will outline later on a more appropriate thread when I feel like it.