Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 5. (Read 85333 times)

hero member
Activity: 780
Merit: 510
Bitcoin - helping to end bankster enslavement.


Keep your calm and learn to read.

Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Thanks but you know how it is when your upset you read it but your brain did not register it.
cho
full member
Activity: 155
Merit: 100
Boar with me
Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...]

Am I wrong ?

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.

Good point.
Little hints like that FAQ entry, the lack of a proper robots.txt, are instilling in my mind little particles of doubt about the technical abilities of our bitcoin-central friends.
member
Activity: 98
Merit: 10
Hi please fill in this claim form if you lost instawallet funds here.......



YOUR URL password .....


your bitcoin address....



YOUR BALANCE:   


Your Email address that you made your first complaint with......

member
Activity: 68
Merit: 10
HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!



Keep your calm and learn to read.

Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.
hero member
Activity: 780
Merit: 510
Bitcoin - helping to end bankster enslavement.
HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!

newbie
Activity: 39
Merit: 0
[...]

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

  • 1) All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
  • 2) All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
  • 3) A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
  • 4) All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
  • 5) A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

[...]

What do you guys think?

I agree on most parts, but:

2) Actually "2" would be almost like "1". It wouldn't be time consuming at all, because you can just write a parser to parse the blockchain and sort by amount (change a bit here and there, and this source code + the blockchain, is all you need).

3) As I wrote earlier, then this is 100% without any doubt NOT the case.
sr. member
Activity: 333
Merit: 252
It's probably that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

I don't think the hot wallet was emptied.
If you look at the transaction history of their cold wallet, 1FrtkNXastDoMAaorowys27AKQERxgmZjY
you see that 6 transfers totalling 320BTC were made *to* this wallet, just prior to its subsequent
evacuation into 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  (together with bitcoin-central funds).
You can also notice that this is a very unusual pattern for them to put money into cold storage: usually it's 1 transaction every few days; not several transactions in quick succession.

What is more, among these 6 transactions, is the address of my instawallet, to which I transferred
the funds about 6 hours before.  (I was  unlucky to try to tumble some coins through instawallet in the worst
possible moment.)


So from this it's quite clear  that not all hot-wallet money were stolen. Probably the hacker accessed
the database from where it was not supposed to be accessed, and that triggered the alarm.
How many URLs he got and how many he tried to empty we don't know.


vip
Activity: 1316
Merit: 1043
👻
And learn your lesson - use blockchain.info, bitcoin-qt, electrum, whatever.
member
Activity: 68
Merit: 10
14,000 total coins were stored in instawallet? Lost faith in humanity once again Smiley

Given how low the threshold was to start a wallet there, this could be spread over thousands of people. Judging by Phil's posts above, though, this is hardly the case  Undecided
legendary
Activity: 2940
Merit: 1333
  • All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away

It's probablye that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

  • All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one.
I'm pretty sure that instawallet was a shared wallet, so blockchain analysis doesn't tell you the balance of any of its accounts.  You can find all the deposits to a given address, but can't tell anything about the withdrawals from it.[/list]
legendary
Activity: 2940
Merit: 1333
Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...]

Am I wrong ?

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.
newbie
Activity: 14
Merit: 0
Anyone else having problems accessing the Instawallet site atm? Getting these errors in Firefox and Chrome...   Huh

Quote
This Connection is Untrusted
     
 
You have asked Firefox to connect
securely to www.instawallet.org, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
       
What Should I Do?
         
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Quote
This is probably not the site you are looking for!
You attempted to reach instawallet.org, but instead you actually reached a server identifying itself as *.bitcoin-central.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of instawallet.org.
You cannot proceed because the website operator has requested heightened security for this domain.
newbie
Activity: 52
Merit: 0
Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.

Instawallet did not have any form of security. Anyone knowing the url of a wallet could have withdrawn all its funds. (basically anyone gaining some form of access to the server could read the http log file and get hundreds of wallets)

Bitcoin Central has/had :
- a login/password system
- an optionnal double authentication mecanism
- a KYC politics requiring people wishing to put more than x euros (x=250 or 1000€ I don't remember) or the equivalent in BTC to identify themselves with name, address and a proof of identity.



I would like to know the conceptual difference between bitcoin-central and instawallet. After an extensive discussion here in the topic, I learnt about the security gaps but why someone woudl prefer to keep the bitcoins in Instawallet rather than in bitcoin-central?
hero member
Activity: 756
Merit: 1000
Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.
11000 posts and you never came across a thread explaining how to set up a secure paper wallet? Huh

I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece.

I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things.

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

EDIT: Ironically, we cross-post:


Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.

Looks like me and you are in the same boat Phinnaeus, nice to meet you. Shame it couldn't have been under better circumstances. Sad

Ok, I have been doing some analysis/thinking about the situation and am feeling (relatively) positive. Ladies and gentlemen, if you would care to indulge me. Smiley

INSTAWALLET DEBACLE 2013

Firstly i have made some assumptions

1. The people behind Instawallet are honest and want to return the money to their rightful owners.

I have assumed this based on the fact that they have their public profiles on record, some of them have been directors of big multinational companies (Orange), they have other businesses which i believe they want to keep earning them money and finally they probably realise that a higher percentage of the bitcoin userbase compared to the general public might go after them personally if the money was not returned. (Based on the fact that the currency is underground and only recently surfacing to most people).

Besides this, if we assume they are dishonest then our money might as well be gone anyway. :/

2. Everybody who had money in instawallet now realises the error of their ways and will be using a paper wallet rolled up into a tube and inserted anally at all times.

Some of the people here have lost a fair bit of money and the I told you so's are a little annoying. I for one will invest a few bitcoins in awareness of this problem for newbies if i get my money back.

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

  • All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
  • All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
  • A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
  • All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
  • A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

4. The hacker has already stolen something?

Now this i am not sure of. I feel that the wording of their agreement leads us to believe that some has gone but not all. If this is the case, when was it stolen? If it was only stolen in the last few days then maybe a date-stamped document in Time Machine (Mac recovery service) would be enough to prove that you have held the URLS for a while?

CONCLUSION

After all this we can conclude that if we claim back on an address and find that all large amounts are being double claimed we can be sure that the first option in section 3 is probably true.

If this is not the case then i think the chances of double claiming go down and we can hope to see our money again.

You never know, a 90 day force holding period might be a blessing in disguise. Cheesy

What do you guys think?
legendary
Activity: 1176
Merit: 1010
Borsche
14,000 total coins were stored in instawallet? Lost faith in humanity once again Smiley
newbie
Activity: 52
Merit: 0
I quote a part from an article appeared in "bitcoinmagazine" (http://bitcoinmagazine.com/instawallets/) regarding pros and cons about using instawallet:

Because of Instawallet’s “URL as password” mechanism it’s the least secure of all the options. Instawallet themselves recommend that users “please do not store more than some spare change here” for casual use.


Instawallet people themselves recommended their clients not to store large amount of bitcoins. This shows some honesty.
newbie
Activity: 52
Merit: 0
Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.
cho
full member
Activity: 155
Merit: 100
Boar with me
Quote
Q: I forgot my URL, can you help me?

A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests.

Somebody tell me then how the hell are they going to be able to return funds given the above?

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed : "I have to be strict about this, as I would otherwise open myself to social engineering attacks" would have been "it is physically impossible for me to do so since we do not store your URLs unencrypted, and are thus unable to recover them, whatever the circumstances".
Am I wrong ?
member
Activity: 77
Merit: 10
Would it be a good idea for victims to find out which address (or addresses) they used to transfer their BTC to Instawallet, and immediately sign a message, to prove that they control that bitcoin adddress, if possible?

This wouldn't prove that they own the funds at Instawallet (they might only be somebody who sent BTC to the real owner) but it would help Instawallet to more easily sort out claims into 'probably true' and 'probably false'.

That's because scammers won't be able to prove that they sent any bitcoins in to the Instawallet address that they claim to own. And somebody who really did send bitcoins into another person's address isn't likely to have the knowledge, or the desire, to scam them later (though it's not impossible, if a large sum is at stake, so Instawallet would still need to review the case and other evidence)

I don't have anything stored at Instawallet. I'm just thinking it would be best for victims to prove as soon as possible that they control any sending addresses, in case they're not able to do that later (for example, they could delete their wallet, or overwrite keys, accidentally or because they think it's not important any more)

Does this idea help?

hero member
Activity: 868
Merit: 1000
I lost 0.02 BTC Sad, even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.

I think they've done a lot wrong, but right now there is no evidence whatsoever that anyone's funds have been "stolen".
Pages:
Jump to: