I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.
Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.
It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.
To put it simply, using a url as your sole authentication is a really fucking stupid idea.
I totally agree with your last line, but "a fucking stupid idea" != security flaw.
Just like when a website create a recover link:
blah.tld/recover.php?secret=SomEtHingRandom, as long as I don't share this link, then only I and the website know the link, so only I can change my password/recover my user. THIS IS NOT A SECURITY FLAW.
However, if I share this link with world+dog (public internet) - and a lot of people did this, by sharing their *PRIVATE URL* with everyone on the public internet - then everybody can "hack" me. But this is NOT due to a security flaw in the website! This is due to a human error, because someone shared their private urls (not a security flaw in the website and will never be).
The "flaw" first discussed in instawallet (which wasn't even a flaw) was simply because Google allow everyone to easy see this list of PUBLIC SHARED URLS by typing the command "site:" in Google. It is STILL possible to get this list, by simply changing "site:" to e.g. "allintext:" (
proof) however now you manually have to visit every site on the list and dig out the instawallet link (before Google would do this for you).
It is
best practice to tell Google: "please don't make this list _easy_ accessible", however you and everyone else
will always be able to find "the list" (and the list will always exist, as long as people share their urls with everyone). It is NOT a security flaw in any website, that you can find this list (assuming the list only consist of private urls leaked by users, not the website).
Had Instawallet leaked just one link, then this had been a security flaw, but they DIDN'T. Not a single link.
And can we now please stop talking about this silly "mistake" (it's not even a flaw - and you would NEVER be able to use it, to hack Instawallet), and actually focus on THE REAL HACK. Please?