Topic: Instawallet/Bitcoin-Central Security Breach - page 13. (Read 85276 times)

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.

Speculation, but justified.

Chrome is the ultimate spyware

Ah right you are, it didn't occur to me.

Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Thanks dooglus. Mine was off.

I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

Does the same apply to Chromium?

I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.

Google: Your business is our business.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...

Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively.  Whether they realize that is the likely end result of their cries or not...

The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary.  Just like a lot of other niceties that just seem to fall into our laps from the sky gods.

I've been saying this for years, Google is the Devil.

Google wants to know everything about everybody, so they can sell you stuff.

My day job,  I'm president of Yooter InterActive.
I've been working with search engines for a long time..  

Let me tell you some tibits of what I have discovered over the years regarding Google.

1 - Their mission is to obtain information, and resell that in the form of advertising.   Period.  
2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering.
3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc...
4 - these products exist for the sole purpose of collecting information..  that spider collects only a fraction of their info now.  every search you make is recorded, every url you visit is recorded if you use their product,  every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live.
5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists,  if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file

This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.

That's google...  

If they wanted to find the urls of instawallet.. nothing on earth could stop them.   That being stated,  the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file)  is their (instawallets) fault.

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.  

I wish I could get a million people to read this exact post...  because I don't think people fully comprehend what they are dealing with when they mention the company google.










 

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:

If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.

It is my understanding the site wasn't crawled, Google simply recorded the URLs people typed/pasted on the URL bar of their browser or in one of their many services and programs.