Google Webmaster Tools
Ban Directory from being listed (not indexed, listed)
I'm locking this thread.
Topic: Open Letter to Instawallet (Read 7764 times)
you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.
Right now Instawallet doesn't refer anything from out of its domain, and even links to outgoing sites are protected behind a redirect wall to prevent the target websites from getting the wallet URL in the referrer. But don't forget that Instawallet had another owner and previously had a different design, and they may have at some point used Google Analytics or a G+ share button. It would be good to know what's the age of the wallets that were indexed by Google (so we could link them to a certain timespan). And some simple experiences are enough to find out if Google parses chat and emails for URLs and crawls them (create random address on your server, post it nowhere but on a email/chat and wait for a Googlebot hit).
good point. didn't notice that before.
raises the question, what exactly did the OP do? LOL
you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.
Right now Instawallet doesn't refer anything from out of its domain, and even links to outgoing sites are protected behind a redirect wall to prevent the target websites from getting the wallet URL in the referrer. But don't forget that Instawallet had another owner and previously had a different design, and they may have at some point used Google Analytics or a G+ share button. It would be good to know what's the age of the wallets that were indexed by Google (so we could link them to a certain timespan). And some simple experiences are enough to find out if Google parses chat and emails for URLs and crawls them (create random address on your server, post it nowhere but on a email/chat and wait for a Googlebot hit).
Davouts profile says he won't be around until Mar 31, though I doubt he will give you a penny anyways. Read this for future disclosure of security holes to vendors, and why you shouldn't do anything because you'll just get fucked one way or another http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/
Deal! what's your business url and I will let you know via PM. If it is client impacting and is helpful for you then send me some coins. I dont' think they were random either.. I strongly suspect I know what did it and you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.
well... i just discovered your other thread regarding this topic and i'm beginning to have my doubts
https://bitcointalksearch.org/topic/m.1695310
honestly, until you convince me otherwise this appears to be a whole lot of FUD.
i'm fairly certain that i would have little to no exposure to a similar security risk, given the design of my site and the fact that i don't use ANY google services and have no intention of doing so (but, i'm still guessing as to the basis of your find).
my motivation here is to encourage others to "do the right thing" and report bugs, flaws, etc when they find them; instead of trying to exploit them for profit; and in turn be rewarded for their service. i believe a bug/flaw reward program is something that more companies should offer, especially in the high security, high value world that is Bitcoin.
our service, currently in development is:
https://www.btcvillage.nl
and until i have an opportunity to publish a formal reward program (certainly before we launch), i welcome you (and anyone else for that matter) to review our platform and report their findings. and i can assure that i WILL be grateful for ANY valid discoveries and show my appreciation with a reasonable amount of monetary compensation
The cause is honestly two fold , a lack of SEO experience on Instawallet's side, and a lack of complete honesty from Google's side.
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
that's pretty much how i understood it. what i don't get (and the million bitcoin question) is how did google manage to index 3000 random urls in the first place?
i can only assume that it was a related google service acting stealthily on the site (e.g. analytics, google+, etc). again, i'm not so concerned about how you fixed it, so much as to how it happened in the first place.
if this turns out to be an issue that could affect my own business, i'd be more than willing to donate to ur discovery.
Deal! what's your business url and I will let you know via PM. If it is client impacting and is helpful for you then send me some coins. I dont' think they were random either.. I strongly suspect I know what did it and you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.
.htaccess is king when if comes to that.
That is one way to fix it, but it's not the only way ... .htaccess is sort of like a broad sword last ditch coverage attempt... IE: plan C (if A and B fail) but definitely one of the right things to do because we're all human and we really can never catch everything.
The cause is honestly two fold , a lack of SEO experience on Instawallet's side, and a lack of complete honesty from Google's side.
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
that's pretty much how i understood it. what i don't get (and the million bitcoin question) is how did google manage to index 3000 random urls in the first place?
i can only assume that it was a related google service acting stealthily on the site (e.g. analytics, google+, etc). again, i'm not so concerned about how you fixed it, so much as to how it happened in the first place.
if this turns out to be an issue that could affect my own business, i'd be more than willing to donate to ur discovery.
.htaccess is king when if comes to that.
My understanding of the https protocol is that only the host name is visible to an attacker. Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.
I don't think it's a good idea to lay out how I fixed instawallet's problem, but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.
considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.
i'd actually be much more interested in the cause than the fix anyway.
The cause is honestly two fold , a lack of SEO experience on Instawallet's side, and a lack of complete honesty from Google's side.
Google's Definition of Robots.Txt file isn't what you guys think it is.
1. You guys all believe it's not a "do not list these directories and pages"
2. Google's definition is "do not spider these directories and pages"
They are NOT the same definition. Not even close.
I remember this exact same thing happening last year.
Already searched the forum and couldn't find anything.
This issue has already been discussed a few times here: https://coinad.com/?m=chat
Also, Google doesn't magically get those links.
Someone must have posted them online somewhere.
Already searched the forum and couldn't find anything.
This issue has already been discussed a few times here: https://coinad.com/?m=chat
Also, Google doesn't magically get those links.
Someone must have posted them online somewhere.
Users can't protect from that.
Google indexed 3k wallets. You could see them just by typing site:instawallet.org
No, I didn't steal anything and yes, Google removed the links.
Google indexed 3k wallets. You could see them just by typing site:instawallet.org
No, I didn't steal anything and yes, Google removed the links.
My understanding of the https protocol is that only the host name is visible to an attacker. Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.
I don't think it's a good idea to lay out how I fixed instawallet's problem, but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.
considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.
i'd actually be much more interested in the cause than the fix anyway.
This shit really happened? 
they also say they have 3,465,851 wallets, now that is huge
is instawallet really that bad?
here is my wallet
https://instawallet.org/w/youcanputanyrandomkeyandddosthemcool
here is my wallet
https://instawallet.org/w/youcanputanyrandomkeyandddosthemcool
The entire no-security concept of Instawallet seems broken by design.
Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.
Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.
As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.
That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!
As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.
Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.
Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.
As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.
That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!
As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.
I think you hit the nail on the head. Your browser history/bookmarks are not considered "secret" and plugins may be able to access it. Once a less than honorable plugin has your history data they can just scan it for "instawallet" and report back all your wallets.
I'm guessing these URLs were gathered from Google chrome data collection.
They really need to stick a password on wallets.
LOL! 
Robots.txt is not for security. It is for obscurity!
This attack will happen sooner or later, google or no google.
It is too easy if you just need a URL
Robots.txt is not for security. It is for obscurity!
This attack will happen sooner or later, google or no google.
It is too easy if you just need a URL
Wow, over 900 wallets exposed at easywallet using the same trick....!
I haven't used those online wallets before. Are they just supposed to be for quick, in-and-out kinds of transactions?
I haven't used those online wallets before. Are they just supposed to be for quick, in-and-out kinds of transactions?
That`s fun The mistake thing, not the situation it caused...nope, both are fun
According to what has been said, mistake was stupid, so I guess it was connected with referrer flaw - there was an external resource on page or link to some google service.
The mistake thing, not the situation it caused...nope, both are fun According to what has been said, mistake was stupid, so I guess it was connected with referrer flaw - there was an external resource on page or link to some google service.
That trick works on easywallet too. Hope you're as rich as I am.
Jump to: