Instawallet/Bitcoin-Central Security Breach - page 14.

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: Nicolai on April 01, 2013, 07:42:34 PM

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.

Nicolai

newbie

Activity: 39

Merit: 0

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

the founder

sr. member

Activity: 448

Merit: 251

Bitcoin

Quote from: ?? on ??

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

Vladimir, I do blame Google to an extent, it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file. This is not the case. They can and DO index anything they believe exists, even if they technically can't spider it. But hey.. if Chrome Browser can hit that url, or someone sent that link via GMAIL, or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists.

Out of all the companies on earth, that one scares me the most... I've been working with search engines since 1994, and Google since 1999 ... trust me.. this company scares me.

the founder

sr. member

Activity: 448

Merit: 251

Bitcoin

Quote from: Nicolai on April 01, 2013, 07:05:11 PM

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have no idea how to say this.

Last week, if you googled site:instawallet.org
You would be greeted with at least 3000 wallets, many of them with bitcoins which you can click on that link and transfer those coins out.

If you googled site:hotmail.com
I would not be greeted with your inbox and read all your e-mails.

This not anywhere near the same issue, what they had was a SECURITY FLAW.

partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site.

In reality it means they would not SPIDER the urls, it doesn't mean they won't list them.

Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw.

but let's put all this aside, want to know the diffrence between a "flaw" and a "security flaw"

Nicolai, would you put all your bitcoins on Instawallet? Your answer should let you know the difference between a flaw and a security flaw.

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: Nicolai on April 01, 2013, 07:05:11 PM

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have a chainsaw. Your argument is valid.
But anyway, your analogy is VERY bad. VERY.
It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere.

Nicolai

newbie

Activity: 39

Merit: 0

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: steelboy on April 01, 2013, 05:56:42 PM

Quote from: ?? on ??

Quote from: steelboy on April 01, 2013, 05:55:11 PM

Quote from: Injust on April 01, 2013, 05:53:17 PM

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy belongs to Instawallet/Bitcoin-Central then good.

Do you believe it?

Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt.

steelboy

hero member

Activity: 756

Merit: 1000

Quote from: ?? on ??

Quote from: steelboy on April 01, 2013, 05:55:11 PM

Quote from: Injust on April 01, 2013, 05:53:17 PM

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy belongs to Instawallet/Bitcoin-Central then good.

Do you believe it?

steelboy

hero member

Activity: 756

Merit: 1000

Quote from: Injust on April 01, 2013, 05:53:17 PM

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

Injust

legendary

Activity: 1008

Merit: 1000

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

foo

sr. member

Activity: 409

Merit: 250

Quote from: dooglus on April 01, 2013, 04:49:16 PM

Quote from: steelboy on April 01, 2013, 04:32:21 PM

The last few posts made no sense to me at all.

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address. Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet.

Confirmed! Eligius picked up the $20.

hous

member

Activity: 98

Merit: 10

yea i got 30 coin in instawallet Sad

jabetizo

full member

Activity: 125

Merit: 101

Quote from: MPOE-PR on April 01, 2013, 05:26:52 PM

Quote from: dooglus on April 01, 2013, 04:49:16 PM

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

he can include them in the same block

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: dooglus on April 01, 2013, 04:49:16 PM

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

jabetizo

full member

Activity: 125

Merit: 101

Quote from: dooglus on April 01, 2013, 04:49:16 PM

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet.

i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying".

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: Nicolai on April 01, 2013, 05:10:38 PM

Quote from: the founder on April 01, 2013, 02:04:21 PM

I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole.

BitDreams

hero member

Activity: 503

Merit: 501

Quote from: Nicolai on April 01, 2013, 05:10:38 PM

Quote from: the founder on April 01, 2013, 02:04:21 PM

I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion.

steelboy

hero member

Activity: 756

Merit: 1000

Quote from: steelboy on April 01, 2013, 04:02:07 PM

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

Nicolai

newbie

Activity: 39

Merit: 0

Quote from: the founder on April 01, 2013, 02:04:21 PM

I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: steelboy on April 01, 2013, 04:56:57 PM

Quote from: SgtSpike on April 01, 2013, 04:53:57 PM

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though. Sad

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.

It would be nice to hear from Davout. I believe he is instawallet staff

Yup, he is.

Topic: Instawallet/Bitcoin-Central Security Breach - page 14. (Read 85336 times)