Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 14. (Read 85336 times)

legendary
Activity: 1008
Merit: 1000
Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.
newbie
Activity: 39
Merit: 0
Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked
sr. member
Activity: 448
Merit: 251
Bitcoin
If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

Vladimir,  I do blame Google to an extent,  it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file.  This is not the case.  They can and DO index anything they believe exists,  even if they technically can't spider it.     But hey.. if Chrome Browser can hit that url,  or someone sent that link via GMAIL,  or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists.

Out of all the companies on earth, that one scares me the most...  I've been working with search engines since 1994,  and Google since 1999 ...  trust me..  this company scares me.

sr. member
Activity: 448
Merit: 251
Bitcoin
BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have no idea how to say this.

Last week,  if you googled  site:instawallet.org
You would be greeted with at least 3000 wallets,  many of them with bitcoins which you can click on that link and transfer those coins out.

If you googled site:hotmail.com
I would not be greeted with your inbox and read all your e-mails.

This not anywhere near the same issue, what they had was a SECURITY FLAW.

partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site.

In reality it means they would not SPIDER the urls,  it doesn't mean they won't list them.

Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw.

but let's put all this aside,  want to know the diffrence between a "flaw" and a "security flaw"

Nicolai,  would you put all your bitcoins on Instawallet?   Your answer should let you know the difference between a flaw and a security flaw.








legendary
Activity: 1008
Merit: 1000
BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have a chainsaw. Your argument is valid.
But anyway, your analogy is VERY bad. VERY.
It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere.
newbie
Activity: 39
Merit: 0
BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalksearch.org/topic/m.1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
legendary
Activity: 1008
Merit: 1000
The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.


Do you believe it?

Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt.
hero member
Activity: 756
Merit: 1000
The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.


Do you believe it?
hero member
Activity: 756
Merit: 1000
The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?
legendary
Activity: 1008
Merit: 1000
The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.
foo
sr. member
Activity: 409
Merit: 250
The last few posts made no sense to me at all. Smiley

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  Smiley

Confirmed! Eligius picked up the $20.
member
Activity: 98
Merit: 10
yea i got 30 coin in instawallet  Sad
full member
Activity: 125
Merit: 101
A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

he can include them in the same block
hero member
Activity: 756
Merit: 522
A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.
full member
Activity: 125
Merit: 101
A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  Smiley

i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying".
legendary
Activity: 1008
Merit: 1000
I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole.
hero member
Activity: 503
Merit: 501
I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion.
hero member
Activity: 756
Merit: 1000
I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?
newbie
Activity: 39
Merit: 0
I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.
legendary
Activity: 1008
Merit: 1000
They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though. Sad

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff

Yup, he is.
Pages:
Jump to: