Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred

[ninjaboon]

Where are you getting all these addresses from?

Maybe you are getting them from here, either way this is a MAJOR issue:

http://www.reddit.com/r/Bitcoin/comments/1pw46j/someone_just_transferred_0095_from_my_inputsio/

TradeFortress any comments??

That's correct. He is sleeping apparently. Although coinchat seems to be down. EDIT: I guess coinchat has been down for a few days.

I think he's on Sydney timezone

[ninjaboon]

The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.

Everyone who has lost money will be fully reimbursed.

pretty scary. luckily my coins are intact. I have never enabled the API keys.

[ninjaboon]

0.12843117 BTC gone from my account "dailybitcoins" to the 15Ctwosw7VCNHp5Rp1ZoviLaV41nZ59spx. Please make a refund.

you had API key enabled.?

[🏰 TradeFortress 🏰]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

[btcplayer]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

good update, looking for more.

[HotSwap]

thanks TF.

[giantdragon]

you had API key enabled.?

Yes.

[ninjaboon]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

keep us posted and I'm unsure what 'side channel' attack means.

[gotpetum]

Hi TF,
I just withdrew about 43 BTC from coinlenders to inputs, and it didn't show up in my inputs account.

Could you please check on that? I'll send you an email with my account details.

Thanks!

[DareC]

Unable to send BTC from my inputs.io account. Getting error:  Sending has failed. The hot pocket may be empty. We have being notified of this.

That's kind of worrying (and also grammatically incorrect).

EDIT: working now

[dree12]

How do I revoke an API key? I accidentally generated one and can't seem to get rid of it.

[ahfs6298]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON

[flmbg]

I have the same problem too. Withdraw 5 BTC from coinlenders but not appear in my inputs account. 4 hours passed.  Please help!

[BitVegas]

The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.

Everyone who has lost money will be fully reimbursed.

Great to hear!
My coins were also lost (Transaction e3da16d145fac74403c6c55bcfd0eb1529548267f30c28a5ef009b7b69243dc1)

If that could be please reimburst when you have the problem solved. Thanks for the great service.

[caffeinewriter]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON

Just some quick info:

An API (Application Programming Interface) is a key that allows use of features of an application without having to provide a username/password combo, and performing a login. Typically, it's paired with some sort of JSON or XML response, for responses, and for retrieving information. Here's an example. (Disclaimer: Not real info I'm not sure of the structure of the Inputs.io API)

A user with an API key runs a faucet. He uses the Inputs.io API to send his payments automatically, instead of having to do it manually, or having to hack up a solution to emulate a real user. For old time's sake, let's call him Bob.

Bob's application requests the following page to send some Bitcoins.

Code:

https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=100&recipient=13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D

This would authenticate to the API with his API key, and send 100 satoshis to the address 13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D (I'm using my own for this example), or perhaps an Inputs.io user instead, where recipient could be replaced with "caffeinewriter" instead, or something similar.

Now let's say Mallory has somehow acquired Bob's API key. She now can use the Inputs.io API to manipulate Bob's account without ever logging in.

First, she could figure out his balance using the API, assuming there is a method for that.

Code:

https://inputs.io/api/v1/getBalance?apikey=ThisIsHisAPIKey&user=bitcoinbob

This could return a JSON object, for example.

Code:

{
    "user": "bitcoinbob",
    "balance": 214150000
}

Now Mallory can make another API request to withdraw Bob's entire balance of BTC2.14150000.

Code:

https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=214150000&recipient=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

API keys are dangerous  Be safe guys. Hope this helped illustrate how this happened at least a little bit.

[HotSwap]

but you still need the pin to use the api.

[caffeinewriter]

but you still need the pin to use the api.

That was just an example. Apparently this hacker found a way to exploit API keys and pins.

[bits4books]

Why is my "hotpocket empty"?

[Boelens]

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

Glad to hear you're resolving it so quickly. Can you check if anything was lost my faucet account? (admin@domesticpineapple.com), and I think it might but I get so many cashouts it's a pain to go through.

[faiza1990]

just want to ask all reimbursed  or what is policy about this I lost 0.127 btc and its in my account for last 1 month