Bitcoin Forum
March 28, 2020, 12:14:30 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
Author Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred  (Read 157694 times)
ninjaboon
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000



View Profile WWW
November 04, 2013, 11:40:58 PM
 #581

Where are you getting all these addresses from?
Maybe you are getting them from here, either way this is a MAJOR issue:

http://www.reddit.com/r/Bitcoin/comments/1pw46j/someone_just_transferred_0095_from_my_inputsio/

TradeFortress any comments??

That's correct. He is sleeping apparently. Although coinchat seems to be down. EDIT: I guess coinchat has been down for a few days.

I think he's on Sydney timezone

1585397670
Hero Member
*
Offline Offline

Posts: 1585397670

View Profile Personal Message (Offline)

Ignore
1585397670
Reply with quote  #2

1585397670
Report to moderator
1585397670
Hero Member
*
Offline Offline

Posts: 1585397670

View Profile Personal Message (Offline)

Ignore
1585397670
Reply with quote  #2

1585397670
Report to moderator
1585397670
Hero Member
*
Offline Offline

Posts: 1585397670

View Profile Personal Message (Offline)

Ignore
1585397670
Reply with quote  #2

1585397670
Report to moderator
AWARD-WINNING
CRYPTO CASINO
ASKGAMBLERS
PLAYERS CHOICE 2019
PROUD
PARTNER OF
1500+
GAMES
2 MIN
CASH-OUTS
24/7
SUPPORT
100s OF
FREE SPINS
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1585397670
Hero Member
*
Offline Offline

Posts: 1585397670

View Profile Personal Message (Offline)

Ignore
1585397670
Reply with quote  #2

1585397670
Report to moderator
1585397670
Hero Member
*
Offline Offline

Posts: 1585397670

View Profile Personal Message (Offline)

Ignore
1585397670
Reply with quote  #2

1585397670
Report to moderator
ninjaboon
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000



View Profile WWW
November 04, 2013, 11:46:56 PM
 #582

The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.

Everyone who has lost money will be fully reimbursed.

pretty scary. luckily my coins are intact. I have never enabled the API keys.

ninjaboon
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000



View Profile WWW
November 04, 2013, 11:47:32 PM
 #583

0.12843117 BTC gone from my account "dailybitcoins" to the 15Ctwosw7VCNHp5Rp1ZoviLaV41nZ59spx. Please make a refund.

you had API key enabled.?

TradeFortress 🏕
VIP
Legendary
*
Offline Offline

Activity: 1176
Merit: 1023


View Profile
November 05, 2013, 12:22:08 AM
 #584

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
btcplayer
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
November 05, 2013, 12:59:18 AM
 #585

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

good update, looking for more.
HotSwap
Hero Member
*****
Offline Offline

Activity: 807
Merit: 1000


COINMIXER.NET


View Profile
November 05, 2013, 01:03:42 AM
 #586

thanks TF.

High Volume, Secure Bitcoin Mixer: https://CoinMixer.net
giantdragon
Legendary
*
Offline Offline

Activity: 1582
Merit: 1000



View Profile
November 05, 2013, 01:13:13 AM
 #587

you had API key enabled.?
Yes.
ninjaboon
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000



View Profile WWW
November 05, 2013, 01:39:48 AM
 #588

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

keep us posted and I'm unsure what 'side channel' attack means.

gotpetum
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
November 05, 2013, 01:59:48 AM
 #589

Hi TF,
I just withdrew about 43 BTC from coinlenders to inputs, and it didn't show up in my inputs account.

Could you please check on that? I'll send you an email with my account details.

Thanks!

"The direct use of force is such a poor solution to any problem, it is generally employed only by small children and large nations." ― David M. Friedman
DareC
Member
**
Offline Offline

Activity: 83
Merit: 10


View Profile
November 05, 2013, 02:03:11 AM
Last edit: November 05, 2013, 02:52:52 AM by DareC
 #590

Unable to send BTC from my inputs.io account. Getting error:  Sending has failed. The hot pocket may be empty. We have being notified of this.

That's kind of worrying (and also grammatically incorrect).

EDIT: working now
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1050



View Profile
November 05, 2013, 03:21:10 AM
 #591

How do I revoke an API key? I accidentally generated one and can't seem to get rid of it.
ahfs6298
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
November 05, 2013, 04:23:53 AM
 #592

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON
flmbg
Member
**
Offline Offline

Activity: 86
Merit: 10


View Profile
November 05, 2013, 05:08:36 AM
 #593


I have the same problem too. Withdraw 5 BTC from coinlenders but not appear in my inputs account. 4 hours passed.  Please help!
BitVegas
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250



View Profile
November 05, 2013, 05:53:23 AM
 #594

The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.

Everyone who has lost money will be fully reimbursed.

Great to hear!
My coins were also lost (Transaction e3da16d145fac74403c6c55bcfd0eb1529548267f30c28a5ef009b7b69243dc1)

If that could be please reimburst when you have the problem solved. Thanks for the great service.

caffeinewriter
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


It's been a while


View Profile WWW
November 05, 2013, 07:29:52 AM
 #595

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON

Just some quick info:

An API (Application Programming Interface) is a key that allows use of features of an application without having to provide a username/password combo, and performing a login. Typically, it's paired with some sort of JSON or XML response, for responses, and for retrieving information. Here's an example. (Disclaimer: Not real info Smiley I'm not sure of the structure of the Inputs.io API)

A user with an API key runs a faucet. He uses the Inputs.io API to send his payments automatically, instead of having to do it manually, or having to hack up a solution to emulate a real user. For old time's sake, let's call him Bob.

Bob's application requests the following page to send some Bitcoins.

Code:
https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=100&recipient=13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D

This would authenticate to the API with his API key, and send 100 satoshis to the address 13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D (I'm using my own for this example), or perhaps an Inputs.io user instead, where recipient could be replaced with "caffeinewriter" instead, or something similar.

Now let's say Mallory has somehow acquired Bob's API key. She now can use the Inputs.io API to manipulate Bob's account without ever logging in.

First, she could figure out his balance using the API, assuming there is a method for that.

Code:
https://inputs.io/api/v1/getBalance?apikey=ThisIsHisAPIKey&user=bitcoinbob

This could return a JSON object, for example.

Code:
{
    "user": "bitcoinbob",
    "balance": 214150000
}

Now Mallory can make another API request to withdraw Bob's entire balance of BTC2.14150000.

Code:
https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=214150000&recipient=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

API keys are dangerous  Roll Eyes Be safe guys. Hope this helped illustrate how this happened at least a little bit.

HotSwap
Hero Member
*****
Offline Offline

Activity: 807
Merit: 1000


COINMIXER.NET


View Profile
November 05, 2013, 08:46:51 AM
 #596

but you still need the pin to use the api.

High Volume, Secure Bitcoin Mixer: https://CoinMixer.net
caffeinewriter
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


It's been a while


View Profile WWW
November 05, 2013, 10:59:03 AM
 #597

but you still need the pin to use the api.

That was just an example. Apparently this hacker found a way to exploit API keys and pins.

bits4books
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


View Profile
November 05, 2013, 11:42:54 AM
 #598

Why is my "hotpocket empty"?
Boelens
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500



View Profile
November 05, 2013, 01:05:02 PM
 #599

A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.

Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).

There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.

Glad to hear you're resolving it so quickly. Can you check if anything was lost my faucet account? (admin@domesticpineapple.com), and I think it might but I get so many cashouts it's a pain to go through.
faiza1990
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


★☆★777Coin★☆★


View Profile
November 05, 2013, 02:27:08 PM
 #600

just want to ask all reimbursed  or what is policy about this I lost 0.127 btc and its in my account for last 1 month

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!