Bitcoin Forum
June 16, 2024, 03:52:00 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: UnoWallet - Instant Bitcoin Wallet  (Read 4684 times)
infonetenergy (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 05, 2013, 11:14:49 AM
Last edit: September 09, 2013, 04:01:55 PM by infonetenergy
 #1

https://uno-wallet.com

UnoWallet is an eWallet where the user only needs access to the website address (URL) to spend the funds in the wallet.  

This service allows the users to be anonymous, and does not require the user to provide an e-mail address to receive funds.

WARNING

UnoWallet does not aspire to be a Bitcoin bank and as such can only provide a low to medium level of security.  Please do not store more than some spare change here.

Note to advanced users:  this wallet is stateless, meaning that there is NO database which records every url.  No database means there's no chance of hacking a database.  

Please be sure to save the unique url for each wallet.  If you forget the url, you lose the funds.  
infonetenergy (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 05, 2013, 11:54:34 AM
Last edit: July 05, 2013, 02:25:07 PM by infonetenergy
 #2

Please help us *break* this wallet.   Wink

[edited] 1 btc award for pointing out a major flaw, 0.1 btc for minor flaws....
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 05, 2013, 01:12:21 PM
 #3

Don't mind but i don't think anyone will tell " Major Flaw" for that small amount.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
July 05, 2013, 01:14:18 PM
 #4

Haha, 0.1 BTC

Much smarter to keep the major flaw for yourself and exploit it once you get traffic.

dashingriddler
Legendary
*
Offline Offline

Activity: 1258
Merit: 1001



View Profile
July 05, 2013, 01:17:17 PM
 #5

Thats true but they will still point out major flaw if they happen to lose their satoshis due to it i guess.

CENTRA

            ▄▄▄██████████▄▄▄
        ▄▄████████████████████▄▄
      ▄███████▀▀         ▀▀███████▄
    ▄█████▀                  ▀██████
   █████▀      ▄▄▄█████▄▄      ▀█████▄
  █████     ▄██████████████▄     ▀████▄
 █████     ██████▀▀  ▀▀██████▄    ▀████
▐████     █████          █████     █████
█████    ▐████                     ▐████
█████    █████                     ▐████
█████     █████          ▄████▌    █████
 ████▌    ▀█████▄▄    ▄▄█████▀    ▄████▌
 ▀████▄     ▀██████████████▀     ▄████▀
  ▀█████▄     `▀████████▀▀     ▄█████▀
   `██████▄                  ▄██████
     ▀███████▄▄          ▄▄███████▀
       ▀██████████████████████▀
           ▀▀▀█████████████▀▀

.
.
.
.
infonetenergy (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 05, 2013, 01:41:46 PM
 #6

Haha, 0.1 BTC

Much smarter to keep the major flaw for yourself and exploit it once you get traffic.

Good point.  You have a better idea for encouraging people to help us beta test?

By the way, if you do lose a few satoshis caused by an error on our part, we will refund you the satoshis (within reason).   

[again, we are in tinkering mode, do NOT put anything more than spare change here.]

And if you are looking for a GREAT e-wallet, please visit blockchain.info 
Benson Samuel
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Landscaping Bitcoin for India!


View Profile WWW
July 05, 2013, 02:00:57 PM
 #7

Haha, 0.1 BTC

Much smarter to keep the major flaw for yourself and exploit it once you get traffic.

Good point.  You have a better idea for encouraging people to help us beta test?

By the way, if you do lose a few satoshis caused by an error on our part, we will refund you the satoshis (within reason).   

[again, we are in tinkering mode, do NOT put anything more than spare change here.]

And if you are looking for a GREAT e-wallet, please visit blockchain.info 

I do believe that davout wrote Instawallet.
He might be referring to a higher bounty on the Major flaw bit.

infonetenergy (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 05, 2013, 02:22:37 PM
Last edit: July 05, 2013, 02:52:48 PM by infonetenergy
 #8

Haha, 0.1 BTC

Much smarter to keep the major flaw for yourself and exploit it once you get traffic.

Good point.  You have a better idea for encouraging people to help us beta test?

By the way, if you do lose a few satoshis caused by an error on our part, we will refund you the satoshis (within reason).  

[again, we are in tinkering mode, do NOT put anything more than spare change here.]

And if you are looking for a GREAT e-wallet, please visit blockchain.info  

I do believe that davout wrote Instawallet.
He might be referring to a higher bounty on the Major flaw bit.

Cool, didn't know that Benson.  Nice to meet you davout.  Smiley

Ok, I'll up the bounty to 1 btc.  And I've also created this address to collect additional funds from anybody who wishes to support this initiative, please send bitcoin here to sweeten the pot to help find the first big flaw:

12aBAC1caY4CFLMSKNgGSrMsodHRNALdkS

Will give our engineers another week to tighten up any obvious issues from our end.  

Then will increase bounty pledge to 2 btc....  
UnoWallet
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
July 06, 2013, 06:46:13 AM
 #9

We would like to get feedback for this wallet, both positive and negative. If you like the idea and find it useful, consider donating to support further development. The address is mentioned on the site.
Benson Samuel
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Landscaping Bitcoin for India!


View Profile WWW
July 07, 2013, 06:13:32 AM
 #10

Quote
Hi,

I was testing the wallet last night and made a couple of changes without realizing it was the production version Smiley
I have reverted those changes.
In case you transferred money since last night after meetup and before today morning 11AM,
your funds are available in a different wallet.

http://oldwallet.wetakecoins.cloudbees.net/<url>

Funds transferred before yesterday evening and after today morning ar in the original wallet.

http://wallet.wetakecoins.cloudbees.net/<url>

Thanks

infonetenergy (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
August 09, 2013, 03:50:54 AM
 #11

Here is the latest version of unowallet [a secure instant bitcoin wallet].  No longer in alpha, now in beta:

https://unowallet.cfapps.io/wallet

Important Note:  if you send funds to an unowallet, you must remember the URL.  If you forget to record the URL, you will lose your bitcoin! 

Why?  UnoWallet is stateless.  This means that each wallet is created on the fly, in real time, and our servers do not record the URLs or private keys of users at any point in time.  Why?  if there's no server, there's no data to hack!

Another Important Note:  unowallet provides you with the private key of each wallet.  This way, even if you ever forget your URL, as long as you save your private key, you will be able to retrieve your funds from anywhere.
Eternity
Full Member
***
Offline Offline

Activity: 196
Merit: 100



View Profile
September 19, 2013, 10:10:57 AM
 #12

Change the look and feel of the site

Make things more attractive like others
MRKLYE
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Designer - Developer


View Profile WWW
September 19, 2013, 10:33:39 AM
 #13

MAJOR SECURITY FLAW.

Someone can easily get lucky and "guess" or bruteforce into wallet URL.
There is no password ability given what so ever.. Any BTC put in these wallets are open for the taking..

 1AAcnJvU4oVTXqYj6K4pqRRW5HLLFdugoX


▄▄███████████▄▄
▄████▀▀`````````▀▀████▄
███▀```````````````````▀███
███`````````````````````````███
██```````````██``██````````````██
██````````▄▄▄▄██▄▄██▄▄▄▄`````````██
██`````````▀██████████████▄````````██
██`````````````███`````▀████`````````██
▐█▌`````````````███`````▄███▀`````````▐█▌
▐█▌`````````````███████████▄``````````▐█▌
▐█▌`````````````███▀▀▀▀▀▀████▄````````▐█▌
▐█▌`````````````███```````████````````▐█▌
██`````````````███`````▄▄████````````██
██`````````▄██████████████▀````````██
██````````▀▀▀▀██▀▀██▀▀▀▀`````````██
██```````````██``██````````````██
███`````````````````````````███
███▄```````````````````▄███
▀████▄▄`````````▄▄████▀
▀▀███████████▀▀
FREE
BITCOINS.com





















`````````▄
````````▄█▄
``````▄█████▄
`````█████████
```▄███████████▄
``███████████████
`█████████████████
███████████████████
███████████████████
██▌▀███████████████
`██``▀████████████
``██▄```▀████████
```▀███▄▄`█████▀
``````▀▀▀▀▀▀▀

FAUCET
▀▀▀▀▀▀▀▀▀



``````````````````▄▄▄▄▄▄
``````````````````██████
``````````````````██████
``````````````````██████
``````````██████``██████
``````````██████``██████
``██████``██████``██████
``██████``██████``██████
``██████``██████``██████
``██████``██████``██████
``██████``██████``██████

██████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

XCHANGE
▀▀▀▀▀▀▀▀▀



```````````▄
`````````▄██
```````▄████
`````▄██████████▄
`````▀███████████▄
```````▀████``▀████
█``````▄`▀██````▀██
██▄````██▄`▀``````█
████▄``████▄
`▀███████████▄
``▀██████████▀
```````████▀
```````██▀
```````▀

SWAP
▀▀▀▀▀▀▀▀▀
Amitabh S
Legendary
*
Offline Offline

Activity: 1001
Merit: 1003


View Profile
September 19, 2013, 08:03:44 PM
 #14

passwords can be bruteforced too.. so no less security than passwords.

Coinsecure referral ID: https://coinsecure.in/signup/refamit (use this link to signup)
Benson Samuel
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Landscaping Bitcoin for India!


View Profile WWW
September 21, 2013, 02:22:13 AM
 #15

passwords can be bruteforced too.. so no less security than passwords.

It would help to add a layer of protection with a password or some other multi-auth method. It is likely to store wealth and in the event that it does gather significant value, it will become a target to list based attacks, etc. A password mechanism built into the same URL would be sweet.

dashingriddler
Legendary
*
Offline Offline

Activity: 1258
Merit: 1001



View Profile
September 21, 2013, 06:51:38 AM
 #16

MAJOR SECURITY FLAW.

Someone can easily get lucky and "guess" or bruteforce into wallet URL.
There is no password ability given what so ever.. Any BTC put in these wallets are open for the taking..

 1AAcnJvU4oVTXqYj6K4pqRRW5HLLFdugoX
Guessing or bruteforcing the URL is like guessing or bruteforcing the private key. So i am not bothered at this level.
To me the network seems to be little vulnurable. I dont know if SSL protects the data only or will include a level of encryption for URL itself. Also the URLs get stored in history of the browser and such. The guy from behind you can just take a photo of the URL without your knowledge using his mobile phone.

One thing that can be done along with what ever is already there is:
Navigate to the home age of uno wallet and on that page the code that you give in the URL should be there as plain text masked with javascript, then provide a text box where u enter the code that u see in the URL itself and it gets submitted to the server as POST and loads the new page - and hence the URL itself never include any private info.
So basically the new user will copy the code from the home page and store it safely while the repeat users would enter the code to go to access the wallet.

CENTRA

            ▄▄▄██████████▄▄▄
        ▄▄████████████████████▄▄
      ▄███████▀▀         ▀▀███████▄
    ▄█████▀                  ▀██████
   █████▀      ▄▄▄█████▄▄      ▀█████▄
  █████     ▄██████████████▄     ▀████▄
 █████     ██████▀▀  ▀▀██████▄    ▀████
▐████     █████          █████     █████
█████    ▐████                     ▐████
█████    █████                     ▐████
█████     █████          ▄████▌    █████
 ████▌    ▀█████▄▄    ▄▄█████▀    ▄████▌
 ▀████▄     ▀██████████████▀     ▄████▀
  ▀█████▄     `▀████████▀▀     ▄█████▀
   `██████▄                  ▄██████
     ▀███████▄▄          ▄▄███████▀
       ▀██████████████████████▀
           ▀▀▀█████████████▀▀

.
.
.
.
Amitabh S
Legendary
*
Offline Offline

Activity: 1001
Merit: 1003


View Profile
September 21, 2013, 09:00:37 PM
Last edit: September 21, 2013, 09:30:11 PM by Amitabh S
 #17

Hi Dashingriddler,

SSL urls are encrypted (at least the stuff after the base url) as discussed in the following post

http://stackoverflow.com/questions/499591/are-https-urls-encrypted


Coinsecure referral ID: https://coinsecure.in/signup/refamit (use this link to signup)
UnoWallet
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
September 22, 2013, 10:50:53 PM
Last edit: November 16, 2013, 05:06:27 AM by UnoWallet
 #18

Thanks to everyone for their feedback. We give below a brief description of Unowallet.

How Unowallet works?
  • When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString),  the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.

    Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point).

  • When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.

    Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto

Recommended way to use unowallet:
  • Use TOR for added privacy. Our server will not know your real IP address.
  • Do not use any proxy servers to access unowallet.
  • Always access it from a secure computer (no viruses/browser extensions).
  • Always keep the url with you in a safe place. Email it to yourself if necessary.
  • Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
  • Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.

Are my coins really safe in Unowallet?
Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.

What can go wrong? These are some ways in which your wallet/url can be compromised:
- Virus/trojans can capture every url you visit.
- Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
- You use an easily guessable url.
- You use a url sent by (or shared with) someone else.
- You use a url found from a search engine.

We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.

How is Unowallet different from other 'instant' wallets?
In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
(2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.

What about passwords/2FA/etc?
Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc.  


Disclaimer:
Unowallet service is provided AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.
Benson Samuel
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Landscaping Bitcoin for India!


View Profile WWW
October 10, 2013, 11:41:13 AM
 #19

Quote
What about passwords/2FA/etc?
Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc. 

Unobase's auth is overkill. It does seem to have appropriate uses in a networked/ enterprise environment though.

2FA and passwords DO NOT defeat the purpose of an URL based wallet for sure. I understand your need to keep this stateless, but adding some form of authentication will definitely get my vote. I have woken up to empty wallets before and it is really not a good feeling when you need to store your funds in a place where you have no control over the security.

What risks are you likely to encounter by adding an identifier database?

You are still not storing private keys with this exercise.

This would also solve the problem of URL recording software/ malware.

Ping me when you get on Hangout... Will push through some info on making this better.

Abdussamad
Legendary
*
Offline Offline

Activity: 3626
Merit: 1568



View Profile
October 28, 2013, 01:07:09 PM
 #20

Unowallet is amazing! I mean its nuts but also amazing!

BTW you don't own unowallet.com do you? I bet a lot of people are going to end up there instead.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!