I just tried CoinPal for my first non-faucet bitcoins, and I can confirm it worked well, and very speedily (if you have a verified Paypal account). Thanks very much for setting up this service, mndrix. I hope it works out for you.
I have one major security complaint about the service, which I think you could easily fix: Once I have typed my Bitcoin address in on the first screen, it is never
displayed back to me. For starters, this means I have no way to verify that the account I have typed (which I am paying real money for) is actually an account under my control.
There is a real security problem here: a man in the middle could intercept my initial request and have the funds redirected to his account, without me being able to before purchase. First, there is no SSL (HTTPS) connection, so a man in the middle attack is possible. While using SSL would help, certificates are expensive and I'm not saying you need to get one. Just that in its absence, we have to assume someone is able to view and modify the HTTP traffic as it goes between my browser and ndrix.com. Now consider this scenario:
1. At http://coinpal.ndrix.com/
, I enter my email address, amount and Bitcoin address.
2. A hacker intercepts the HTTP request, and modifies the bitcoin_address field to contain his address instead of mine. He leaves my email address and BTC amount as they are, and forwards the modified request on to ndrix.com.
3. On your server, this creates a new unique ID "534fxxxx", with my email address, my requested amount, and the hacker's Bitcoin address.
4. I am redirected to http://coinpal.ndrix.com/confirm/534fxxxx
, which displays the requested number of BTC and conversion rate. I click "Continue" and am redirected to http://coinpal.ndrix.com/email_verify_instructions
4. On your server, this creates another new unique ID "285xxxx" (I'm not sure what the second unique ID is, but neither contain my Bitcoin address).
5. I receive an email titled "CoinPal email verification (order 534fxxxx)" telling me to click the link "http://coinpal.ndrix.com/continue_order/2855xxxx
". It contains both of the unique IDs for this transaction, but no Bitcoin address.
6. I click through to http://coinpal.ndrix.com/continue_order/2855xxxx
, which tells me the number of BTC I am about to purchase and how much it will cost. I click "Buy Now".
7. I am redirected to Paypal (now on a secure connection) and asked to log in to Paypal. My order summary includes the number of BTC I am buying and the cost in USD. It also includes the first unique ID, "Item number: 534fxxxx". Nowhere does it say which Bitcoin address the funds are going to. I log in to Paypal and click "Pay now". The funds are removed from my Paypal account.
8. After the order is confirmed, CoinPal credits the hacker's Bitcoin account!
(Note: This did not happen to me
, it is just a hypothetical scenario. Ironically, the post-payment email I received did
include my Bitcoin account.)
So there is a common theme here: The bitcoin address is never displayed throughout the process. Were it displayed, I could check in the final step that I am indeed transferring bitcoin to an account under my control. The address should be displayed in all of the following places:
The email and the Paypal description are the critical ones. For either the confirm or continue_order pages on your site, the hacker could keep up his spoofing, and relay back to me the address I entered, even though on the server it is planning to send the coin to his address. Therefore, these two pages should simply display the address, and not prompt the user to verify it (as it is untrustworthy). However, it will be much harder for the hacker to spoof the email (if he does, you will send one too, and I'll know something is up), and impossible to spoof the Paypal description, given that it is under heavy SSL. Therefore, both the email AND the Paypal description should not only display the Bitcoin address, but actively encourage the user to verify that this is the same address he requested. When I am about to click "Pay now", I should be able to do a final check.
I would be (and was) wary of using this system without the address at least
appearing in the Paypal item description.
Some further feedback:
- There is nowhere on the site that says that I am paying in US dollars, until I get through to Paypal. You should prefix all the "$" signs with "US".
- The confirmation email contains the text "If you did not place an order with CoinPal, it's likely that your PayPal and email accounts have been hacked. Check PayPal for unauthorized transactions and change passwords promptly." I don't follow this logic. Anybody who knows my email address could have typed it into the order page and caused me to receive that email. It isn't a security risk, as it wasn't triggered from my Paypal account. There should be no problem unless I actually go through with it. So the message should read "If you did not place an order with CoinPal, you should ignore this email." (Unless there is some other cause for alarm?)
- I am a bit confused as to why the transaction has two separate IDs. What is the purpose of having both the 534fxxxx and the 2855xxxx IDs?
I hope you can use this feedback to improve this great service.