Topic: Bitcoin URI Protocol Scheme (Read 365 times)

Bump

That was the intent on the scam modal screen use on bitcoin.org (see Newbies, please be aware that Bitcoin.org is compromised! ): Click (amount button) & easily pay a fixed sum of 10$, 100$, 1000$ or 10000$ in BTC, or alternatively enter a custom amount. The odd looking BTC amount corresponds to the BTC equivalent of 100$ at the time.

Note: The URI modal was accessible yesterday on archive.org, but it isn’t today. It is though at https[colon]//archive[dot]ph/ERUpl (beware: scam modal screen).

How exactly does the scam work? Is it one of those you pay X amount to receive XX back type of scams? I am asking because I see the amount of 0.0022883 BTC in your code. Why that amount? I would think it would be in the scammer's best interests to have the victim send as much as possible and not a predetermined sum. Or maybe they created several of these URI's to make it easier for their victims to fill out the needed transaction details with just one click.

This is actually the format that the scammers were using on bitcoin.org’s doubler pop-up scam. Clicking on the chosen amount’s button would modify the amount parameter, making it easier for the transfer to be initiated (providing your software is set-up to process URI). Scamming made easier, at the click of your mouse ...

i.e. code taken from their pop-up’s generated URI:

Part of source code you shown only proof that Blockchain.com wallet accept the bitcoin URI scheme. But it doesn't proof that the wallet support message field correctly.

I wish I knew how to read that code, unfortunately, I don't.
The data android:scheme="bitcoin" part of it is the only thing that looks like it's pointing towards the wallet supporting the URI scheme. But I will take your word for it and put the Blockchain.com wallet back on the list.

Thanks for checking it out.

Thanks Pmalek for bumping this thread.

There is no need for this Here is the intent filter from the AndroidManifest.xml page which confirms that blockchain wallet app does accept the bitcoin URI sheme:

source
This is the beauty of open source!

Now we have two people claiming it works and one who says it doesn't. I will just wait for the next reply from someone who is interested in checking before I put it back on the list. Like in sports, let's see if the result will be 3:1 or a draw after all. 

BlueWallet has been added. Thanks for the tip.

Yes, it does. And, the URI scheme works with the Blockcain.com wallet so you can put it back on the list.

BlueWallet also works (obviously, mainnet wallet only, not LN), so you can add it as well.

Even if the wallet doesn't support adding message/note to a transaction, the wallet could simply ignore the message on URI. It basically means Blockchain wallet made a bug when implementing BIP 21.

The difference between the first and second link is in the amounts and the added comment. The first one has a "Payment to Pmalek" comment while the second one has no comment at all. The obvious question to ask now is, does the blockchain wallet have a comments field while sending crypto? If it doesn't, maybe that's why the first links isn't recognized by the app.   

Weird! I just realized that the warning message appears only when I click on the second link! Maybe it has something to do with the comment part at the end of the link!

Since the app appears on the open with list, it means it supports that URI scheme. Try clicking the second link, blockchain will open the main page but you will see a small warning text in red at the bottom (it disappears quickly).

edit: here is how it looks like:

What actually happens is after I click the URI link actually blockchain.com app shows in the list just like the screenshot but after selecting blockchain.com app, nothing happens, it just open the app, though I don't have a balance but there's nothing message shows that I don't have enough balance or what, unlike on mycelium, electrum, and trustwallet even there's no balance on the wallet it still go to the sending page with the details provided on the URI.
But maybe I'm using a bit outdated blockchain app that's why.

Blockchain wallet app supports URIs and here is a screenshot from my mobile after clicking on one of the links from OP:

If the blockchain wallet is empty, it won't open the send tab and fill up the fields. It will briefly display an error message stating that you don't have enough balance.
I suppose bL4nkcode didn't notice the warning message and assumed it doesn't support URIs.

Trustwallet and Coinomi are both close source wallets, I think if you will have to include close source wallet, it has to be indicated, although you can do it as you which but just the way I think it should be. Close source wallets are the worst wallet that could be use as an attack in the future, this is the reason I do not even like mentioning close such wallets at all.

Thanks for testing that. I wonder why it doesn't work on blockchain. I am sure I remembered correctly that it used to work even with blockchain's wallet.

I will add Trust Wallet and Coinomi to the list of wallets that support the URI Protocol Scheme and I will remove Blockchain.
If anyone else knows any other good wallets where it works, feel free to mention it. But please test it before you do, so we can avoid spreading misinformation.

No it does not. This scheme is simply giving an option to turn the address string into a clickable link. For example when you go to a merchant's website and they create a new address for you to pay they represent you with the string which you have to copy and then paste in your wallet. Then you have to do the same with the amount (since it is never a round number, something like 0.00167894).
Using this scheme you simply click the link and the appropriate fields in your wallet will be filled which you can double check later.

Same with donations, the address is already being reused for donations. This way you simplify the donating process a bit.

Not a big deal because when they click it and nothing happens they can simply copy the address and manually handle payment.
For example the merchant's website can have a little tooltip telling them their wallet may not support this but the URI is the "easy way" and otherwise to copy the information themselves.

Someone dealing with a "nefarious actor" is in a lot more danger than clicking a fake link!

I'm not sure if this is possible because for example all the example links you see in OP are protected by bitcointalk's SSL encryption and can not be changed by a MITM attack. And unless the user has a malware on their own system I don't see how else the address could change and if they do have a malware they have more things to worry about.
However there is still BIP-70, BIP-71 and BIP-72 describing solutions to the problem you are talking about.

While this is true, if the hacker has got access to change that address, they likely have the capability of tricking someone to send to their address through other means too. I don't think there's a particularly higher risk of address changing just because it's a hyperlink. Okay, theoretically is does have more attack vectors based on being public, and therefore potentially someone could compromise either the user or the forum, and change the address instead of just compromising the user, but the risk of that would be relatively low. Especially, for low level targets. This would be more appropriate for theymos, satoshi, and various other high level users on the forum.

Nope, this is just something that the majority of people ignore, especially when it comes to teaching people about a new thing. My general advice should be; teach everyone to the standard expected, and from a learners perspective learn from the start how you intend to carry on. So, for lack of good phrasing there; learn good protocols at the start, and then you don't have to deviate, and learn more things in the future, which would potentially increase the complexity due to mixing different methods up.

If you are taught to check the Bitcoin address three times, and unless there's a significantly better approach available, that you wasn't aware of at the time of learning, then you should continue doing so. I don't think it's a good idea to teach people about URLS unless they have a specific use for that, otherwise they'll like it because it's pretty gimmicky, and then they'll use that everywhere which wouldn't be appropriate.

Btw I have tried the URI on blockchain.com mobile wallet but it wont work while it actually fine when using with trust wallet, electrum and coinomi, both mobile wallets.

Also, it doesn't work on wallets that didn't support wallet address such the both segwit format address, which is obviously the case.

So far the URL will still necessarily fill in the appropriate space that should have been filled manually, this will not be resistant against clipboard malware in my opinion. Just as you commented, anytime someone want to transfer bitcoin to another address, the person should check and recheck the address before sending.