Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 6. (Read 85356 times)

full member
Activity: 154
Merit: 100
I lost 0.02 BTC Sad, even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.
legendary
Activity: 1400
Merit: 1005
Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time"

"run away" includes "getting 'hacked'"

It is basically the same as amount of mined bitcoins asymptotically approaches 21 million.

People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones.

Store not only encrypted images but truecrypt distribution/installation too.

This is all you need to know and do.

Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks.

Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount.


Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do.

Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further.

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.
I'll just say that the Bitcoin-QT wallet is incredibly easy to set up (pretty much just click install, and it's done), and it is reasonably secure once you password protect it.  The downside is just that it takes a number of hours to synchronize, and it does take up some ram and a decent amount of HDD space.  But that's a small sacrifice to make to have full control over your coins.

Davout seems to be a standup guy.  I'd be surprised if you didn't get the vast majority of your funds back, given how much of instawallet's funds were sitting in a cold wallet.  But certainly, put more effort into making sure your coins are secure down the road, especially when you have enough to buy a house with!
hero member
Activity: 868
Merit: 1000

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~



They previously stated that they had exclusive control of the wallet and that user funds were safe.  They've said nothing so far to indicate that's not still the case.  The issue here seems to be how they return funds to legitimate users when the database has been compromised.  You're obviously going to fall into the "case by case" category, but at this stage they're saying they can start returning funds after a 90 day claim period and not that there are missing funds.

In my opinion, they need to make very clear that no user funds have been lost (or none that they can't replace out of their own pockets) if that's the case.  If user funds have been lost then they need to be truthful about that because no-one wants to sit around thinking they're going to get their funds in 90 days only to find in 3 months time that there's a shortfall.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.
11000 posts and you never came across a thread explaining how to set up a secure paper wallet? Huh

I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece.

I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things.

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

EDIT: Ironically, we cross-post:


Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.
hero member
Activity: 868
Merit: 1000

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.
legendary
Activity: 1400
Merit: 1013
Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.
11000 posts and you never came across a thread explaining how to set up a secure paper wallet? Huh
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time"

"run away" includes "getting 'hacked'"

It is basically the same as amount of mined bitcoins asymptotically approaches 21 million.

People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones.

Store not only encrypted images but truecrypt distribution/installation too.

This is all you need to know and do.

Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks.

Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount.


Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do.

Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further.

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
It seems every generation of bitcoiners just has to learn hard lessons on their own. FFS if experienced bitcoiners like so not modest myself who warned other about exactly this shit long before mybitcoin fiasco tells you TRUST NO ONE. Pay fucking attention next time.


It never works Vlad, they never listen.

Stick two dicks up my ass, for it's quite obvious that I didn't listen.

Also...

Quote
Q: I forgot my URL, can you help me?

A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests.

Somebody tell me then how the hell are they going to be able to return funds given the above?
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Hope you learnt an important lesson: NEVER TRUST ONLINE WALLETS WITH MORE THAN POCKET MONEY.

And remember that what's pocket money today, can be retirement money tomorrow Wink

No Mother Fuckin' Kidding!
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending

They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!!

Source?
the website now updated with the notice.

I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot.
INSTAWALLET SERVICE NOTICE

The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture.


Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.


In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Important information on claims submission:

1.For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.
2.After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.
3.Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.

From http://notice.instawallet.org/

Somebody fuck me in my ass and then stick your dick in my mouth, for I'm sure I'll enjoy that much better than what I've just read.

I've read that he's probably in Paris, so so much for a road trip. Is there anybody in Paris that can at least visit the address provided to glean any viable information?

I will blow my fuckin' top if I learn that my close friend and a dear client (2 separate individuals) have coins tied up on InstaWallet.org after I went out on a limb to assure them that they need not worry giving my personal guarantee.

This is so fucked up on so many levels.

Back to page 10, or is it 11?

~Bruno K~
newbie
Activity: 39
Merit: 0
I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.
It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.
I totally agree with your last line, but "a fucking stupid idea" != security flaw.
Just like when a website create a recover link: blah.tld/recover.php?secret=SomEtHingRandom, as long as I don't share this link, then only I and the website know the link, so only I can change my password/recover my user. THIS IS NOT A SECURITY FLAW.

However, if I share this link with world+dog (public internet) - and a lot of people did this, by sharing their *PRIVATE URL* with everyone on the public internet - then everybody can "hack" me. But this is NOT due to a security flaw in the website! This is due to a human error, because someone shared their private urls (not a security flaw in the website and will never be).

The "flaw" first discussed in instawallet (which wasn't even a flaw) was simply because Google allow everyone to easy see this list of PUBLIC SHARED URLS by typing the command "site:" in Google. It is STILL possible to get this list, by simply changing "site:" to e.g. "allintext:" (proof) however now you manually have to visit every site on the list and dig out the instawallet link (before Google would do this for you).

It is best practice to tell Google: "please don't make this list _easy_ accessible", however you and everyone else will always be able to find "the list" (and the list will always exist, as long as people share their urls with everyone). It is NOT a security flaw in any website, that you can find this list (assuming the list only consist of private urls leaked by users, not the website).

Had Instawallet leaked just one link, then this had been a security flaw, but they DIDN'T. Not a single link.

And can we now please stop talking about this silly "mistake" (it's not even a flaw - and you would NEVER be able to use it, to hack Instawallet), and actually focus on THE REAL HACK. Please?
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
davout give us a shoutout PLEASE We wanna know what your doing!!!!!!!!!!!!!!!!!!!!
 Cry

YOU GOTTA BE FUCKIN' KIDDIN' ME!!!

Quote
Name:   davout
Posts:   2744
Position:   Staff
Date Registered:   October 17, 2010, 06:01:12 AM
Last Active:   April 02, 2013, 10:16:50 AM

I hope I'm calmed down before I get to the end of this thread, otherwise I WILL be asking for an address, and not the BlockChain kind.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS
These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Therefore, all the NPO/NGOs I emailed with InstaWallet.org in the text will look upon Bitcoin as a farce if they happen to click the link.

Currently on Page 8 of this thread, hoping there's good news by the time I get to Page 14.

So far it's looking like this'll be the first time I lose bitcoins via another entity. The ONLY saving grace is that it was all profit, but then again so is close to 100% of all the barn wood I currently have in stock, but would hate it if the buildings burned down or I was ripped up off of the entire lot.

I'm holding my tongue till I reach the end of this thread.

Madness!!!

~Bruno K~
newbie
Activity: 28
Merit: 0
It is only referring to the open orders!As everything else is  OK?
legendary
Activity: 1008
Merit: 1000
Note from bitcoin-central.com and paytunia.com:
Quote
[Apr-03 7:00PM CET]

We are still working on bringing the service back up: we expect to resume operations within the next 48 hours.

A lot of people have asked about the state of orders currently pending. Due to the recent and important price fluctuations we will cancel some outstanding orders before reopening. For example if the average price stays above 100 EUR/BTC we will cancel all asks below 110 EUR/BTC. No trades will be reversed.

We also don't want to take anyone by surprise and as such will give a 24h notice before trades start to get executed again.

During these 24 hours you will be able to place and cancel orders. When the trading engine gets restarted they will be executed in the order they were placed.

Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption.

The deposits received while the service was interrupted will be added to your balance during the 24h notice time.
newbie
Activity: 28
Merit: 0
bitcoin central is back
hero member
Activity: 686
Merit: 564
The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture.

Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.
Fucking maroons. For this to be true, they'd have to be storing the raw, unhashed keys from the URLs, and there's not really any good reason why they should do things this way. Simply hashing the URLs would have made it difficult or impossible for someone who got hold of the database to imitate account holders.
hero member
Activity: 868
Merit: 1000

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.

Even worse is that they knew this flaw was being discussed publicly, as was the StrongCoin flaw.  You can't assume that every user will read thread about security flaws but services themselves should make it their business to know when such discussions are taking place.
sr. member
Activity: 294
Merit: 250
I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.
newbie
Activity: 14
Merit: 0

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  

Quote
For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.

After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.

1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.
Okay, you are totally right, I did not read carefully enough (missed "other" and "same"). I thought they meant they were going to refund if you file a claim, and refund automatically if you didn't claim anything at all. I have never used instawallet and I have never even seen the website. I only have a slight idea on how its working, so I think its time for me to shut up about this. 


At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.
Maybe I am. Why don't we find out in the next couple of days...

Pages:
Jump to: