niktitan132
Legendary
 Offline
Activity: 1036
Merit: 1000
|
 |
November 05, 2013, 03:17:24 PM |
|
just want to ask all reimbursed or what is policy about this I lost 0.127 btc and its in my account for last 1 month
I lost 0.2445 BTC  |
|
|
|
|
mintmoney
Newbie
Offline
Activity: 22
Merit: 0
|
|
November 05, 2013, 04:25:49 PM |
|
weird, I had an api-key enabled and no issues... I hope you guys aren't setting your api key & pin variables directly in the code (like in the callback example here: https://inputs.io/api#callbackexample ) hopefully TF gets the API back online soon   -Minty |
|
|
|
|
californiablue
Newbie
Offline
Activity: 11
Merit: 0
|
|
November 05, 2013, 08:46:34 PM |
|
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.
Everyone who has lost money will be fully reimbursed.
Thank you TF. You're the best.  |
|
|
|
|
harningt
Member
Offline
Activity: 63
Merit: 10
|
|
November 05, 2013, 09:01:58 PM |
|
CoinLenders should probably have it's withdraw disabled - I withdrew and found nothing shows up in my Inputs.IO wallet... then I come and look and the API is disabled. (which is probably why the deposit part didn't take effect)
CoinLenders should probably have caught some sort of error and not deducted my balance... hopefully this item is easy to fix and get balances right!
My luck is not too good these days - lose some BTC to an "auto-refund" by Coinbase and now to API key for CoinLenders...
|
|
|
|
|
flmbg
Member
Offline
Activity: 81
Merit: 10
|
|
November 06, 2013, 01:02:53 AM |
|
CoinLenders should probably have it's withdraw disabled - I withdrew and found nothing shows up in my Inputs.IO wallet... then I come and look and the API is disabled. (which is probably why the deposit part didn't take effect)
CoinLenders should probably have caught some sort of error and not deducted my balance... hopefully this item is easy to fix and get balances right!
My luck is not too good these days - lose some BTC to an "auto-refund" by Coinbase and now to API key for CoinLenders...
I agree with your suggestion. I withdraw 5 BTC yesterday from Coinlenders and they never show up in inputs. I've sending email to TF and not receive any reply for this. This might be a serious problem for all of us. |
|
|
|
|
|
marketorder
|
|
November 06, 2013, 01:33:26 AM |
|
Has anyone got any updates yet? I've moved my money to cold storage until this is resolved. I'm confident TF will fix everything
|
|
|
|
|
|
Financisto
|
|
November 06, 2013, 02:36:48 AM |
|
Why is my "hotpocket empty"?
Same happened here. Have all (or most of) funds from "hot wallets" been removed to cold storage? |
|
|
|
|
bitcoindigi
|
|
November 06, 2013, 09:10:15 AM |
|
Why is my "hotpocket empty"?
Same happened here. Have all (or most of) funds from "hot wallets" been removed to cold storage? First: it's not your hot pocket, it's inputs'. I guess TF moved all coins to a secure cold wallet until he fixed the security breaches. So calm down and use electrum to keep huge amounts next time  |
|
|
|
|
|
cozie
|
|
November 06, 2013, 11:33:53 AM
Last edit: November 06, 2013, 11:50:56 AM by cozie |
|
i try to withdraw 0.5 btc, inputs.io say "Sent!" but he is not, trxid generated not exist and ofc my balance is now with -0.5005 btc  [edit] all ok, transaction show up after some time [/edit] |
|
|
|
|
btcton
Legendary
Offline
Activity: 1288
Merit: 1007
|
|
November 06, 2013, 11:51:05 AM |
|
Yeah, you really have to calm down. Leaving all your BTC in the same wallet isn't a very good idea. Anyway, I'm sure TF is working harder than you may think to solve this.
|
The signature campaign posters adding useless redundant fluff to their posts to reach their minimum word count are lowering my IQ.
|
|
|
pinovero
Member
Offline
Activity: 176
Merit: 10
The World’s First Blockchain Core
|
|
November 06, 2013, 12:06:13 PM |
|
I suspect that this could be a faucet code issue and not a inputs.io problem
This hacker may be targeting sites that surely would have had an input.io account with API enabled, looking for vulnerability, trying to obtain read privileges of the config.php in which almost all current faucet keep it in plain API key and pin codes
I've also found a strange activity on my site and services overflow attempts, but without any success
|
|
|
|
|
js1985
|
|
November 06, 2013, 12:26:21 PM |
|
Why is my "hotpocket empty"?
Same happened here. Have all (or most of) funds from "hot wallets" been removed to cold storage? First: it's not your hot pocket, it's inputs'. I guess TF moved all coins to a secure cold wallet until he fixed the security breaches. So calm down and use electrum to keep huge amounts next time Any news from TF? |
|
|
|
|
|
JohnHarmer
|
|
November 06, 2013, 01:09:27 PM |
|
Why is my "hotpocket empty"?
Same happened here. Have all (or most of) funds from "hot wallets" been removed to cold storage? First: it's not your hot pocket, it's inputs'. I guess TF moved all coins to a secure cold wallet until he fixed the security breaches. So calm down and use electrum to keep huge amounts next time Any news from TF? No, and when i withdraw from input.io, got "hotpocket empty" |
TradeFortress|吴泽岳's profile:www.wuzeyue.org
吴泽岳要钱要命你自己选,不信你就等着
|
|
|
|
gaston909
|
|
November 06, 2013, 02:21:55 PM |
|
Yes, calm is the only way here. If you can't be calm, don't trust external sites with you btc.
Take care of them yourself.
|
|
|
|
|
|
JohnHarmer
|
|
November 06, 2013, 03:00:08 PM |
|
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.
so , maybe TF is busing moving input.io from aws to some physical machine.
That's why it took so long.
|
TradeFortress|吴泽岳's profile:www.wuzeyue.org
吴泽岳要钱要命你自己选,不信你就等着
|
|
|
devthedev
Legendary
Offline
Activity: 1050
Merit: 1004
|
|
November 06, 2013, 03:21:05 PM |
|
I suspect that this could be a faucet code issue and not a inputs.io problem
This hacker may be targeting sites that surely would have had an input.io account with API enabled, looking for vulnerability, trying to obtain read privileges of the config.php in which almost all current faucet keep it in plain API key and pin codes
I've also found a strange activity on my site and services overflow attempts, but without any success
Yep, makes sense. |
|
|
|
christmas
Newbie
Offline
Activity: 45
Merit: 0
|
|
November 06, 2013, 03:31:25 PM |
|
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.
so , maybe TF is busing moving input.io from aws to some physical machine.
That's why it took so long.
hope so |
|
|
|
|
high110
Sr. Member
Offline
Activity: 728
Merit: 253
A Blockchain Mobile Operator With Token Rewards
|
|
November 06, 2013, 04:00:06 PM |
|
I haven't lost any money - but I just need to move some around. If you can let me know the soonest when I can do this...thanks! Just 2 BTC...
|
|
|
|
|
knowitnothing
|
|
November 06, 2013, 04:22:47 PM |
|
Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.
This is very misleading. Side channel attack is a whole group of attacks, but this term is commonly used when talking about cryptography (please see https://en.wikipedia.org/wiki/Side_channel_attack, and in the rare event that you are really into it http://www.sidechannelattacks.com/a.aspx). I can't think of any reason why someone would say this was a side channel attack (actually, sic: "like a 'side channel' attack"), except to disguise the shame of the actual bug(s) found that won't be properly disclosed. It's time to get honest and drop the text about "most secure wallet ever created". |
|
|
|
|
Injust
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
November 07, 2013, 12:33:06 AM |
|
This doesn't look good, https://inputs.io shows this message. 404 BTC not found
Two hacks have left Inputs unable to pay Woah, this admittedly IS looking bad now TradeFortress, please give us an update? |
|
|
|
|
|
