Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 13. (Read 85356 times)

hero member
Activity: 952
Merit: 1009

Chrome is the ultimate spyware

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.
hero member
Activity: 700
Merit: 500
So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Speculation, but justified.

Chrome is the ultimate spyware
hero member
Activity: 756
Merit: 522
he can include them in the same block

Ah right you are, it didn't occur to me.
full member
Activity: 197
Merit: 100
For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.
Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.


hero member
Activity: 756
Merit: 1000
So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?
legendary
Activity: 1106
Merit: 1004
Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

Thanks dooglus. Mine was off.
newbie
Activity: 14
Merit: 0
I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.
legendary
Activity: 2940
Merit: 1333
Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

legendary
Activity: 1106
Merit: 1004
Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Does the same apply to Chromium?
hero member
Activity: 533
Merit: 500
I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.
sr. member
Activity: 476
Merit: 250
Google: Your business is our business.
legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...
legendary
Activity: 4760
Merit: 1283
...
This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.
...

Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively.  Whether they realize that is the likely end result of their cries or not...

The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary.  Just like a lot of other niceties that just seem to fall into our laps from the sky gods.

member
Activity: 110
Merit: 10

I've been saying this for years, Google is the Devil.

Google wants to know everything about everybody, so they can sell you stuff.
sr. member
Activity: 448
Merit: 251
Bitcoin
My day job,  I'm president of Yooter InterActive.
I've been working with search engines for a long time..  

Let me tell you some tibits of what I have discovered over the years regarding Google.

1 - Their mission is to obtain information, and resell that in the form of advertising.   Period.  
2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering.
3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc...
4 - these products exist for the sole purpose of collecting information..  that spider collects only a fraction of their info now.  every search you make is recorded, every url you visit is recorded if you use their product,  every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live.
5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists,  if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file

This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.

That's google...  

If they wanted to find the urls of instawallet.. nothing on earth could stop them.   That being stated,  the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file)  is their (instawallets) fault.

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.  

I wish I could get a million people to read this exact post...  because I don't think people fully comprehend what they are dealing with when they mention the company google.










 
legendary
Activity: 1246
Merit: 1077
If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.
legendary
Activity: 1400
Merit: 1005
If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
legendary
Activity: 1764
Merit: 1007
I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.
It is my understanding the site wasn't crawled, Google simply recorded the URLs people typed/pasted on the URL bar of their browser or in one of their many services and programs.
Pages:
Jump to: