Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred

[Inputs.io]

Any chance of a stats page? I'm most interested in watching off the chain transactions and shared wallet size!

Yes, but that's quite low on the priority list.

[1714105000]

1714105000

[1714105000]

1714105000

[🏰 TradeFortress 🏰]

Back up

[🏰 TradeFortress 🏰]

Account security upgrade process

We're upgrading the security of Inputs.io to make it more resistant to attacks even if our web facing server was compromised. Inputs.io is not compromised at all, this is to make Inputs even more secure.

Login (if you are already signed in, log out and relogin) to complete the account upgrade process.

Thanks!

[BigBitz]

It appears to be "broken" I can login, finally, it's very very slow and now my wallet is stuck in "NaN BTC" mode ie; nil.

[BigBitz]

TF......

I would like to gain access to my coins please.........

[macros]

"instant"

Would be happy too, to get access

[BigBitz]

I don't mean to complain but man. This is VERY annoying.

[🏰 TradeFortress 🏰]

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.

[Injust]

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.

What exactly did happen?

[BigBitz]

I got a transfer with 55confirms still unconfirmed lol

[🏰 TradeFortress 🏰]

Site is back.

Will post a full update soon and what we're doing to prevent this from happening again.

What exactly did happen?

We've encountered a deadlock bug with bitcoind. We're working with the bitcoin developers in tracking it down and getting it fixed.

[macros]

I withdrawed 1.4325556 BTC from coinlenders during the downtime. They haven't arrived at my inputs.io account yet.
My nickname is the same on both sites and Bitcointalk. The withdraw is listed on coinlenders in my account.

Can you take a look at that please?

[BigBitz]

I withdrawed 1.4325556 BTC from coinlenders during the downtime. They haven't arrived at my inputs.io account yet.
My nickname is the same on both sites and Bitcointalk. The withdraw is listed on coinlenders in my account.

Can you take a look at that please?

I think if it's a bitcoind bug we will see some delayed transactions while they fix it and while it catches up with the blockchain.

Although CL -> Inputs should be off the chain.

[🏰 TradeFortress 🏰]

I got a transfer with 55confirms still unconfirmed lol

Credited.

[🏰 TradeFortress 🏰]

http://1v.io/gladoscc

Can your qt do that?

[rme]

Hi TradeFortress,
I had been a couple of days watching Inputs.io, the new design and the new password hashing.

Dealing with passwords is a very complex job, but here it goes my suggestion.

The main targets of this suggestion is that if someone can sniff the trafic (with HTTPS this is not possible) he cant see the password, the sha512 hash or the 2FA.

If the user has not enabled 2FA:
The login form:
      - Email Input (type text)
      - Password Input (type text)
      - Server Token Input (type hidden)
      - Client Token Input (type hidden)

When the user clicks Login Button:
      - Using javascript and sha512.js, the email, the password, the server token and the client token are concatenated and hashed.
      - Note: The Server token is a random string that the server provides in each petition (can be rand() or something).
      - Note: The Client token is empty and the client browser fills it with a javascript random function on form submit.

      So, your client hashes all the things (email, password, server token, client token), and sends to the server this values:
            - Hash (the sha512 generated)
            - Client Token (is generated by the browser using random function)
            - Email (needed to find the user)

Summary:
If you sniff the conecction you only get a sha512 hash (that is different every login), the email and a Client Token that is just a random number.
You would have to sniff the Server response to get the server token and also the client response to complete the hash.

How the server validates the user:

Code:

//first you need to query the mysql user row WHERE email = the email
if($_GET['hash'] == sha512($_GET['email'].$query['password'].$query['server_token'].$_GET['client_token']))

If the user has enabled 2FA:
The login form:
      - Email Input (type text)
      - Password Input (type text)
      - Server Token Input (type hidden)
      - 2FA Input (type text)

The same as above, replacing client token with 2FA code, as the 2FA code is not sended to the server (only the resulting sha512 hash) if someone sniffs the conection he would only get a random sha512 hash.

He would not get even the 2FA code.

Code:

//first you need to query the mysql user row WHERE email = the email
//Also replace $query['2FA'] with the supposed 2FA for this user at this time
if($_GET['hash'] == sha512($_GET['email'].$query['password'].$query['server_token'].$query['2FA']))

Note: You can first hash the password and then concatenate to the other inputs and then hash again, this way the password goes also hashed.
Also you can also hash the email (in the database the email had to be in plain, but the user can send the email also hashed)

[rme]

Also, there it goes a tip:
To avoid phising you could register this domains,

lnputs.io           (L replacing I)
lnput.io            (L replacing I and without final S)
input.io             (Without final S)
1nputs.io           (1 replacing I)
1nput.io             (1 replacing I and without final S)

[🏰 TradeFortress 🏰]

Also, there it goes a tip:
To avoid phising you could register this domains,

lnputs.io           (L replacing I)
lnput.io            (L replacing I and without final S)
input.io             (Without final S)
1nputs.io           (1 replacing I)
1nput.io             (1 replacing I and without final S)

I could, but all modern browsers use a font that distinct 1 from i, lowercase all URLs, and we already have the anti phishing bar

Thanks for the feedback!

What we're about to do (after all sessions have expired and people would have upgraded their account security) is to make it so that an attacker cannot steal funds even if the web server was compromised. This is pretty much what you described, except for making transactions instead of just logging in.

Focusing on preventing transactions is more important than logins.

[HeroC]

This pushed me just enough to join.  Good trick...

[escrow.ms]

On site it deducted 0.0005 as fees but it paid 0.0001 fees.

http://blockchain.info/tx/a9dff0de8efa8cc1dadf33d1861159c0174bdd4e471d91fa68686f399b4ef7e1