You did the right thing dude, now can we close this thread please?
kthx
kthx
yea i'm done with it.
Topic: Dumb Question : If I found a security flaw with a major bitcoin company .. (Read 7345 times)
March 28, 2013, 10:39:43 PM
yea i'm done with it.
March 28, 2013, 10:39:19 PM
You did the right thing dude, now can we close this thread please?
kthx
kthx
March 28, 2013, 10:36:45 PM
2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.
Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10(how do you think google found "your" links vs how google found "my" links?)
=== The link in Google that you showed me didn't show any instawallet addresses, however they did show a bunch of pastebin crap with instawallet URL's in there (including the one you displayed above), it's not the same thing, not even close. Those URL's didn't come from Instawallet in Google's index, they came from pastebin
3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten me.
omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" 
=== In this case you're saying "I want your username and password" instead I just want to google your e-mail address and automatically log into your account. I don't want your username and password, in your example google has the username and passwords included in the click though url.
March 28, 2013, 10:23:41 PM
There is 0.0005496 BTC in that wallet but minimum to take receive it is 0.01 BTC. That means that to get it someone has to transfer 0.0094504 BTC into it and immediatly take everything out. However it's risky because someone else might take out everything while you are depositing.
March 28, 2013, 10:06:50 PM
1 - freaking linking like that to someone's wallet ? seriously?
Someone decided to post it public (not me) and everyone (Google) can access this.Also it's not even what I usually pay in transaction fee :lol: It's not like someone is going to miss these coins.
2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.
Just go to page 2 of google and search for "https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g" and you will see it: https://www.google.dk/#q=allintext:instawallet.org/w/&hl=da&start=10(how do you think google found "your" links vs how google found "my" links?)
3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten me.
omfg - instawallet url = private key = "username + password". Give me your hotmail username and password and I can "hack hotmail" March 28, 2013, 08:47:31 PM
it's better to robots.txt-disable it anyway.
I'm going to repeat here what I stated in the other thread.
Quote from: The Founder
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
If you saw the screenshots on the article listed on this thread, you'd see immediately that it was not the robots.txt file.
March 28, 2013, 08:21:26 PM
Quote
3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten all of us.
Urls showing up in google does not mean that it was instawallet that "leaked" them.
If there was some magical page on instawallet that listed all adresses then this "bug" of yours would not be about ~100BTC, but about much more. Thus, this simply is about google crawling some urls from people's browsers, toolbars, links on other websites, etc. Not a "bug" in instawallet per se, but sure, it's better to robots.txt-disable it anyway.
March 28, 2013, 08:01:11 PM
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g.
Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.
But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.
Changing the "site" command to e.g. "allintext" and volá free bitcoins:
But no, I'm not blaming instawallet.
Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.
But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.
Changing the "site" command to e.g. "allintext" and volá free bitcoins:
But no, I'm not blaming instawallet.
1 - freaking linking like that to someone's wallet ? seriously?
2 - You didn't find that link directly on Google, you found someone that was scraping or whatever then linking to it, show me that screenshot of where you found it because I'm willing to bet you found it on a scraper using the allintext operator.
3 - Someone trusts their bitcoins to instawallet, and instawallet's structure allows someone to steal those coins, how is that not a security problem? Please enlighten all of us.
March 28, 2013, 05:21:53 PM
On the screenshot we can see that you just searched for "site:instawallet.org", this is something that has been known for ages (e.g. https://plus.google.com/114827336297709201563/posts/TQNiDpqtwxT). Aka "Google hacking", "google dork", whatever it has nothing to do with hacking.
But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.
Changing the "site" command to e.g. "allintext" and volá free bitcoins:
https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g
https://i.imgur.com/aDx3rfO.png
But no, I'm not blaming instawallet.
But simply asking google not to index or list items on your website, doesn't "fix" it because it has never been a security problem in instawallet. As I said before, it is best practice to do what you helped them with, but not a security problem to not do it. You want it to be a security problem to make instawallet look bad for not paying you, but please just face that it isn't and will never be a security problem.
Changing the "site" command to e.g. "allintext" and volá free bitcoins:
https://instawallet.org/w/xoZ1YqOtD6ycsyk1DaiNelUAbOhagbT0g
https://i.imgur.com/aDx3rfO.png
But no, I'm not blaming instawallet.
March 28, 2013, 03:16:59 PM
Lol, this is not a security flaw in instawallet
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
Of course not spending 6 hours telling them how to fix their robots.txt file.
For some reason everyone keeps saying it was the robots.txt file, it wasn't. If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.
Anyway, thanks for this responsible disclosure.
March 28, 2013, 02:27:00 PM
Lol, this is not a security flaw in instawallet
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
Of course not spending 6 hours telling them how to fix their robots.txt file.
For some reason everyone keeps saying it was the robots.txt file, it wasn't. If you guys actually spent the time looking at the screen shots you would actually realize that it's not nor was it the robots.txt file.
March 28, 2013, 11:40:27 AM
Lol, this is not a security flaw in instawallet
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
If someone post their facebook username + password to e.g. pastebin, would you then call it a flaw in facebook?
Adding "Disallow: /w/" to their robots.txt file is best practice, but without it is not a security flaw, just like it's not a security flaw not to send the header "X-XSS-Protection", etc.
And I really don't hope you spend 6 hours telling them to add two lines to a txt file?
March 28, 2013, 11:35:35 AM
I also found a wallet on google too:
https://instawallet.org/w/iSIzx4rC9ZWh0ygXLfMhh5p12LZUqMarA
Is empty, no surprise.
https://instawallet.org/w/iSIzx4rC9ZWh0ygXLfMhh5p12LZUqMarA
Is empty, no surprise.
March 28, 2013, 11:24:06 AM
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit? True/not true?I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
March 28, 2013, 11:21:54 AM
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I heard that Google sometimes crawls webpages that its users (Chrome) visit? True/not true? I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
March 28, 2013, 11:14:28 AM
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
Or Instawallet could have included wallet URL's in its sitemap. March 28, 2013, 09:43:58 AM
This problem was discussed several times before, including on my chat.
I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
I don't know why they decided to fix this only now, they already were aware of this problem.
By the way, Google doesn't magically index those pages, somewhere, somehow, someone posted his URL on the webz.
March 27, 2013, 03:13:56 PM
Dear Instawallet,
Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium
The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.
After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.
http://www.adaptiveglass.com/?p=656
Davout... don't you think this guy deserves some BTC for his work?Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium
The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.
After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.
http://www.adaptiveglass.com/?p=656
EDIT: Also, Google is still spitting out one wallet to me: https://instawallet.org/r/aHR0cHM6Ly9pbnN0YXdhbGxldC5vcmc=
March 27, 2013, 03:08:23 PM
Dear Instawallet,
Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium
The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.
After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.
http://www.adaptiveglass.com/?p=656
Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium
The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.
After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.
http://www.adaptiveglass.com/?p=656
March 27, 2013, 09:16:54 AM
I tried exactly this once with a popular social media site half a decade ago, and they pretended to be thankful for finding the glaring security holes and kept asking me for more help and even asked for me to write up some security suggestions for them. They even offered me points on their website for a reward and such, and because I accepted, they tried to later say that I had blackmailed them. Turns out, they were trying to collect information to post about me and brand me as a "blackmailer hacker". They even recorded our phone calls (which was illegal in their state and thus they didn't use it). The employees who did this were subsequently fired of course by the corporate owners who took over the company and brought in an entirely new management group that I became friends with.
Moral of the story? There isn't one. Some people are dicks and you have to do what you do and deal with it as it comes.
The duplicity of security standards annoys me. I have no way of knowing if the bank doors are locked at night. Shouldn't I be allowed to check?
If I try and test to see if the bank doors are locked and someone sees me I might get arrested. If no one sees me and I tell the bank, "hey your doors aren't locked!" I will go down hard and there are no repercussions for the bank.
What a strange world we've created...
Jump to: