ninjaboon
Legendary
 Offline
Activity: 2114
Merit: 1002
|
 |
November 04, 2013, 11:40:58 PM |
|
Where are you getting all these addresses from?
That's correct. He is sleeping apparently. Although coinchat seems to be down. EDIT: I guess coinchat has been down for a few days. I think he's on Sydney timezone |
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
ninjaboon
Legendary
Offline
Activity: 2114
Merit: 1002
|
|
November 04, 2013, 11:46:56 PM |
|
The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.
Everyone who has lost money will be fully reimbursed.
pretty scary. luckily my coins are intact. I have never enabled the API keys. |
|
|
|
ninjaboon
Legendary
Offline
Activity: 2114
Merit: 1002
|
|
November 04, 2013, 11:47:32 PM |
|
0.12843117 BTC gone from my account "dailybitcoins" to the 15Ctwosw7VCNHp5Rp1ZoviLaV41nZ59spx. Please make a refund.
you had API key enabled.? |
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
November 05, 2013, 12:22:08 AM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
|
|
|
|
|
btcplayer
Newbie
Offline
Activity: 20
Merit: 0
|
|
November 05, 2013, 12:59:18 AM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
good update, looking for more. |
|
|
|
|
|
HotSwap
|
|
November 05, 2013, 01:03:42 AM |
|
thanks TF.
|
|
|
|
giantdragon
Legendary
Offline
Activity: 1582
Merit: 1002
|
|
November 05, 2013, 01:13:13 AM |
|
you had API key enabled.?
Yes. |
|
|
|
|
ninjaboon
Legendary
Offline
Activity: 2114
Merit: 1002
|
|
November 05, 2013, 01:39:48 AM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
keep us posted and I'm unsure what 'side channel' attack means. |
|
|
|
|
gotpetum
|
|
November 05, 2013, 01:59:48 AM |
|
Hi TF,
I just withdrew about 43 BTC from coinlenders to inputs, and it didn't show up in my inputs account.
Could you please check on that? I'll send you an email with my account details.
Thanks!
|
"The direct use of force is such a poor solution to any problem, it is generally employed only by small children and large nations." ― David M. Friedman
|
|
|
DareC
Member
Offline
Activity: 83
Merit: 10
|
|
November 05, 2013, 02:03:11 AM
Last edit: November 05, 2013, 02:52:52 AM by DareC |
|
Unable to send BTC from my inputs.io account. Getting error: Sending has failed. The hot pocket may be empty. We have being notified of this.
That's kind of worrying (and also grammatically incorrect).
EDIT: working now
|
|
|
|
|
dree12
Legendary
Offline
Activity: 1246
Merit: 1077
|
|
November 05, 2013, 03:21:10 AM |
|
How do I revoke an API key? I accidentally generated one and can't seem to get rid of it.
|
|
|
|
|
ahfs6298
Newbie
Offline
Activity: 11
Merit: 0
|
|
November 05, 2013, 04:23:53 AM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON |
|
|
|
|
flmbg
Member
Offline
Activity: 81
Merit: 10
|
|
November 05, 2013, 05:08:36 AM |
|
I have the same problem too. Withdraw 5 BTC from coinlenders but not appear in my inputs account. 4 hours passed. Please help!
|
|
|
|
|
|
BitVegas
|
|
November 05, 2013, 05:53:23 AM |
|
The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.
Everyone who has lost money will be fully reimbursed.
Great to hear! My coins were also lost (Transaction e3da16d145fac74403c6c55bcfd0eb1529548267f30c28a5ef009b7b69243dc1) If that could be please reimburst when you have the problem solved. Thanks for the great service. |
|
|
|
|
caffeinewriter
|
|
November 05, 2013, 07:29:52 AM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON Just some quick info: An API (Application Programming Interface) is a key that allows use of features of an application without having to provide a username/password combo, and performing a login. Typically, it's paired with some sort of JSON or XML response, for responses, and for retrieving information. Here's an example. (Disclaimer: Not real info  I'm not sure of the structure of the Inputs.io API) A user with an API key runs a faucet. He uses the Inputs.io API to send his payments automatically, instead of having to do it manually, or having to hack up a solution to emulate a real user. For old time's sake, let's call him Bob. Bob's application requests the following page to send some Bitcoins. https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=100&recipient=13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D This would authenticate to the API with his API key, and send 100 satoshis to the address 13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D (I'm using my own for this example), or perhaps an Inputs.io user instead, where recipient could be replaced with "caffeinewriter" instead, or something similar. Now let's say Mallory has somehow acquired Bob's API key. She now can use the Inputs.io API to manipulate Bob's account without ever logging in. First, she could figure out his balance using the API, assuming there is a method for that. https://inputs.io/api/v1/getBalance?apikey=ThisIsHisAPIKey&user=bitcoinbob This could return a JSON object, for example. {
"user": "bitcoinbob",
"balance": 214150000
}
Now Mallory can make another API request to withdraw Bob's entire balance of BTC2.14150000. https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=214150000&recipient=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX API keys are dangerous  Be safe guys. Hope this helped illustrate how this happened at least a little bit. |
|
|
|
|
HotSwap
|
|
November 05, 2013, 08:46:51 AM |
|
but you still need the pin to use the api.
|
|
|
|
|
caffeinewriter
|
|
November 05, 2013, 10:59:03 AM |
|
but you still need the pin to use the api.
That was just an example. Apparently this hacker found a way to exploit API keys and pins. |
|
|
|
bits4books
Sr. Member
Offline
Activity: 854
Merit: 264
Crypto is not a religion but i like it
|
|
November 05, 2013, 11:42:54 AM |
|
Why is my "hotpocket empty"?
|
|
|
|
|
|
Boelens
|
|
November 05, 2013, 01:05:02 PM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
Glad to hear you're resolving it so quickly. Can you check if anything was lost my faucet account? ( admin@domesticpineapple.com), and I think it might but I get so many cashouts it's a pain to go through. |
|
|
|
|
faiza1990
Sr. Member
Offline
Activity: 420
Merit: 250
★☆★777Coin★☆★
|
|
November 05, 2013, 02:27:08 PM |
|
just want to ask all reimbursed or what is policy about this I lost 0.127 btc and its in my account for last 1 month
|
|
|
|
|
