Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred - page 32. (Read 158152 times)

I suspect that this could be a faucet code issue and not a inputs.io problem

This hacker may be targeting sites that surely would have had an input.io account with API enabled, looking for vulnerability, trying to obtain read privileges of the config.php in which almost all current faucet keep it in plain API key and pin codes

I've also found a strange activity on my site and services overflow attempts, but without any success

Yeah, you really have to calm down. Leaving all your BTC in the same wallet isn't a very good idea. Anyway, I'm sure TF is working harder than you may think to solve this.

i try to withdraw 0.5 btc, inputs.io say "Sent!" but he is not, trxid generated not exist and ofc my balance is now with -0.5005 btc

[edit]
all ok, transaction show up after some time
[/edit]

First: it's not your hot pocket, it's inputs'.

I guess TF moved all coins to a secure cold wallet until he fixed the security breaches.

So calm down and use electrum to keep huge amounts next time

Haha lucky you. I guess the hacker didn't target everyone with an API key.

Same happened here.

Have all (or most of) funds from "hot wallets" been removed to cold storage?

Has anyone got any updates yet? I've moved my money to cold storage until this is resolved. I'm confident TF will fix everything 

I agree with your suggestion. I withdraw 5 BTC yesterday from Coinlenders and they never show up in inputs. I've sending email to TF and not receive any reply for this. This might be a serious problem for all of us.

CoinLenders should probably have it's withdraw disabled - I withdrew and found nothing shows up in my Inputs.IO wallet... then I come and look and the API is disabled. (which is probably why the deposit part didn't take effect)

CoinLenders should probably have caught some sort of error and not deducted my balance... hopefully this item is easy to fix and get balances right!

My luck is not too good these days - lose some BTC to an "auto-refund" by Coinbase and now to API key for CoinLenders...

I recently used the API, just to check how it works :S. Unlucky I guess . We'll be patient while TF works his magic

Thank you TF. You're the best. 

weird, I had an api-key enabled and no issues...

I hope you guys aren't setting your api key & pin variables directly in the code
(like in the callback example here: https://inputs.io/api#callbackexample )

hopefully TF gets the API back online soon   

-Minty

I lost 0.2445 BTC 

just want to ask all reimbursed  or what is policy about this I lost 0.127 btc and its in my account for last 1 month

Glad to hear you're resolving it so quickly. Can you check if anything was lost my faucet account? ([email protected]), and I think it might but I get so many cashouts it's a pain to go through.

Why is my "hotpocket empty"?

That was just an example. Apparently this hacker found a way to exploit API keys and pins.

but you still need the pin to use the api.

Just some quick info:

An API (Application Programming Interface) is a key that allows use of features of an application without having to provide a username/password combo, and performing a login. Typically, it's paired with some sort of JSON or XML response, for responses, and for retrieving information. Here's an example. (Disclaimer: Not real info I'm not sure of the structure of the Inputs.io API)

A user with an API key runs a faucet. He uses the Inputs.io API to send his payments automatically, instead of having to do it manually, or having to hack up a solution to emulate a real user. For old time's sake, let's call him Bob.

Bob's application requests the following page to send some Bitcoins.


This would authenticate to the API with his API key, and send 100 satoshis to the address 13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D (I'm using my own for this example), or perhaps an Inputs.io user instead, where recipient could be replaced with "caffeinewriter" instead, or something similar.

Now let's say Mallory has somehow acquired Bob's API key. She now can use the Inputs.io API to manipulate Bob's account without ever logging in.

First, she could figure out his balance using the API, assuming there is a method for that.


This could return a JSON object, for example.


Now Mallory can make another API request to withdraw Bob's entire balance of BTC2.14150000.


API keys are dangerous  Be safe guys. Hope this helped illustrate how this happened at least a little bit.

Great to hear!
My coins were also lost (Transaction e3da16d145fac74403c6c55bcfd0eb1529548267f30c28a5ef009b7b69243dc1)

If that could be please reimburst when you have the problem solved. Thanks for the great service.