Bitcoin Forum
December 14, 2024, 08:20:36 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 2 [3] 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 ... 62 »
  Print  
Author Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred  (Read 158156 times)
Inputs.io
Newbie
*
Offline Offline

Activity: 5
Merit: 0



View Profile
July 05, 2013, 12:38:52 AM
 #41

Any chance of a stats page? I'm most interested in watching off the chain transactions and shared wallet size!
Yes, but that's quite low on the priority list.

🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 05, 2013, 06:32:49 AM
 #42

Back up Smiley
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 05, 2013, 12:44:21 PM
 #43

Account security upgrade process

We're upgrading the security of Inputs.io to make it more resistant to attacks even if our web facing server was compromised. Inputs.io is not compromised at all, this is to make Inputs even more secure. Smiley

Login (if you are already signed in, log out and relogin) to complete the account upgrade process.

Thanks!
BigBitz
Hero Member
*****
Offline Offline

Activity: 672
Merit: 501



View Profile
July 05, 2013, 04:54:15 PM
 #44

It appears to be "broken" I can login, finally, it's very very slow and now my wallet is stuck in "NaN BTC" mode ie; nil.

Tips BTC --> 1BS2sYvy3T1cpNhie6CVFMcUrHa84a8mPa <-- Thanks! || Tips [LTC] --> LaytYJNCha7z7zcws5a2o2GWWjvWfDCGkr <--
BigBitz
Hero Member
*****
Offline Offline

Activity: 672
Merit: 501



View Profile
July 05, 2013, 08:19:01 PM
 #45

TF......

I would like to gain access to my coins please......... Smiley

Tips BTC --> 1BS2sYvy3T1cpNhie6CVFMcUrHa84a8mPa <-- Thanks! || Tips [LTC] --> LaytYJNCha7z7zcws5a2o2GWWjvWfDCGkr <--
macros
Newbie
*
Offline Offline

Activity: 33
Merit: 0


View Profile
July 05, 2013, 09:19:10 PM
 #46

"instant"

Would be happy too, to get access
BigBitz
Hero Member
*****
Offline Offline

Activity: 672
Merit: 501



View Profile
July 05, 2013, 09:19:31 PM
 #47

I don't mean to complain but man. This is VERY annoying.

Tips BTC --> 1BS2sYvy3T1cpNhie6CVFMcUrHa84a8mPa <-- Thanks! || Tips [LTC] --> LaytYJNCha7z7zcws5a2o2GWWjvWfDCGkr <--
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 05, 2013, 11:29:52 PM
 #48

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.
Injust
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000



View Profile
July 05, 2013, 11:39:54 PM
 #49

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.

What exactly did happen?
BigBitz
Hero Member
*****
Offline Offline

Activity: 672
Merit: 501



View Profile
July 05, 2013, 11:48:26 PM
 #50

I got a transfer with 55confirms still unconfirmed lol Smiley

Tips BTC --> 1BS2sYvy3T1cpNhie6CVFMcUrHa84a8mPa <-- Thanks! || Tips [LTC] --> LaytYJNCha7z7zcws5a2o2GWWjvWfDCGkr <--
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 05, 2013, 11:53:29 PM
 #51

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.

What exactly did happen?

We've encountered a deadlock bug with bitcoind. We're working with the bitcoin developers in tracking it down and getting it fixed.
macros
Newbie
*
Offline Offline

Activity: 33
Merit: 0


View Profile
July 05, 2013, 11:57:21 PM
 #52

I withdrawed 1.4325556 BTC from coinlenders during the downtime. They haven't arrived at my inputs.io account yet.
My nickname is the same on both sites and Bitcointalk. The withdraw is listed on coinlenders in my account.

Can you take a look at that please?
BigBitz
Hero Member
*****
Offline Offline

Activity: 672
Merit: 501



View Profile
July 05, 2013, 11:58:26 PM
 #53

I withdrawed 1.4325556 BTC from coinlenders during the downtime. They haven't arrived at my inputs.io account yet.
My nickname is the same on both sites and Bitcointalk. The withdraw is listed on coinlenders in my account.

Can you take a look at that please?

I think if it's a bitcoind bug we will see some delayed transactions while they fix it and while it catches up with the blockchain.

Although CL -> Inputs should be off the chain.

Tips BTC --> 1BS2sYvy3T1cpNhie6CVFMcUrHa84a8mPa <-- Thanks! || Tips [LTC] --> LaytYJNCha7z7zcws5a2o2GWWjvWfDCGkr <--
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 06, 2013, 12:01:57 AM
 #54

I got a transfer with 55confirms still unconfirmed lol Smiley
Credited.
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 06, 2013, 07:53:20 AM
 #55

http://1v.io/gladoscc Smiley

Can your qt do that? Wink
rme
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
July 06, 2013, 08:50:25 AM
 #56

Hi TradeFortress,
I had been a couple of days watching Inputs.io, the new design and the new password hashing.

Dealing with passwords is a very complex job, but here it goes my suggestion.

The main targets of this suggestion is that if someone can sniff the trafic (with HTTPS this is not possible) he cant see the password, the sha512 hash or the 2FA.

If the user has not enabled 2FA:
The login form:
      - Email Input (type text)
      - Password Input (type text)
      - Server Token Input (type hidden)
      - Client Token Input (type hidden)

When the user clicks Login Button:
      - Using javascript and sha512.js, the email, the password, the server token and the client token are concatenated and hashed.
      - Note: The Server token is a random string that the server provides in each petition (can be rand() or something).
      - Note: The Client token is empty and the client browser fills it with a javascript random function on form submit.

      So, your client hashes all the things (email, password, server token, client token), and sends to the server this values:
            - Hash (the sha512 generated)
            - Client Token (is generated by the browser using random function)
            - Email (needed to find the user)

Summary:
If you sniff the conecction you only get a sha512 hash (that is different every login), the email and a Client Token that is just a random number.
You would have to sniff the Server response to get the server token and also the client response to complete the hash.

How the server validates the user:

Code:
//first you need to query the mysql user row WHERE email = the email
if($_GET['hash'] == sha512($_GET['email'].$query['password'].$query['server_token'].$_GET['client_token']))


If the user has enabled 2FA:
The login form:
      - Email Input (type text)
      - Password Input (type text)
      - Server Token Input (type hidden)
      - 2FA Input (type text)

The same as above, replacing client token with 2FA code, as the 2FA code is not sended to the server (only the resulting sha512 hash) if someone sniffs the conection he would only get a random sha512 hash.

He would not get even the 2FA code.

Code:
//first you need to query the mysql user row WHERE email = the email
//Also replace $query['2FA'] with the supposed 2FA for this user at this time
if($_GET['hash'] == sha512($_GET['email'].$query['password'].$query['server_token'].$query['2FA']))




Note: You can first hash the password and then concatenate to the other inputs and then hash again, this way the password goes also hashed.
Also you can also hash the email (in the database the email had to be in plain, but the user can send the email also hashed)
rme
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
July 06, 2013, 08:56:08 AM
 #57

Also, there it goes a tip:
To avoid phising you could register this domains,

lnputs.io           (L replacing I)
lnput.io            (L replacing I and without final S)
input.io             (Without final S)
1nputs.io           (1 replacing I)
1nput.io             (1 replacing I and without final S)
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 06, 2013, 10:34:21 AM
 #58

Also, there it goes a tip:
To avoid phising you could register this domains,

lnputs.io           (L replacing I)
lnput.io            (L replacing I and without final S)
input.io             (Without final S)
1nputs.io           (1 replacing I)
1nput.io             (1 replacing I and without final S)
I could, but all modern browsers use a font that distinct 1 from i, lowercase all URLs, and we already have the anti phishing bar Smiley

Thanks for the feedback!

What we're about to do (after all sessions have expired and people would have upgraded their account security) is to make it so that an attacker cannot steal funds even if the web server was compromised. This is pretty much what you described, except for making transactions instead of just logging in.

Focusing on preventing transactions is more important than logins.
HeroC
Legendary
*
Offline Offline

Activity: 858
Merit: 1000



View Profile
July 06, 2013, 01:21:07 PM
 #59



This pushed me just enough to join.  Smiley Good trick...
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 06, 2013, 05:16:52 PM
 #60

On site it deducted 0.0005 as fees but it paid 0.0001 fees.

http://blockchain.info/tx/a9dff0de8efa8cc1dadf33d1861159c0174bdd4e471d91fa68686f399b4ef7e1
Pages: « 1 2 [3] 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 ... 62 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!