Open Letter to Instawallet - page 2.

gbl08ma

sr. member

Activity: 306

Merit: 250

Donations: http://tny.im/nx

When I was halfway through reading your thread about it yesterday, and reading about "100 BTC maximum", Instawallet came to my mind, but the only thing I thought that could be exploitable was something like the form to send Bitcoins out of the wallet, or the API (which is very simple). It never occurred to me that it could be something so simple as Google indexing.
At the same time it makes me wonder; who would post loaded wallet URLs on a place Google could access (because search engines don't guess URLs)? Or should the question be the other way around: is Google getting URLs to scan from places other than web pages (e.g. Google Chat, Chrome...)?
Thanks for ~~discovering~~ googling the issue. It would be great if everyone followed your example.

momagic

full member

Activity: 152

Merit: 100

Asking Google not to crawl sensitive pages is a basic foundation of privacy.

koin

legendary

Activity: 873

Merit: 1000

Quote from: the founder on March 27, 2013, 02:33:15 PM

I would have been happy with a thank you, if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

if that just happened maybe they were still investigating. for instance, if a person knows how to get google to explicitly index an url, then maybe that person could make it look like a security vulnerability exists by creating and funding some wallets then asking instawallet for a reward for "discovering" it -- when no legitimate customer funds were at risk.

so you might be jumping to a conclusion.

mccorvic

hero member

Activity: 518

Merit: 500

One time in the early 90s my dad's car phone was stolen and he put up flyers saying "reward". He didn't reward the guy who brought it back. So, there's that.

WikileaksDude

hero member

Activity: 490

Merit: 500

i knew about this for for ages...

just google: site:instawallet.org w

And you would get all the public urls...

Most urls were empty anyway.

matt4054

legendary

Activity: 1946

Merit: 1035

The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.

the founder

sr. member

Activity: 448

Merit: 251

Bitcoin

Quote from: Cryptoman on March 27, 2013, 03:56:49 PM

My understanding of the https protocol is that only the host name is visible to an attacker. Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem, but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.

Cryptoman

hero member

Activity: 726

Merit: 500

My understanding of the https protocol is that only the host name is visible to an attacker. Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

the founder

sr. member

Activity: 448

Merit: 251

Bitcoin

Quote from: Technomage on March 27, 2013, 03:26:16 PM

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

There were coins in those wallets. If someone less than honorable found that they could have easily yesterday cleared off $10,000 worth of bitcoins in a few minutes flat.

Technomage

legendary

Activity: 2184

Merit: 1056

Affordable Physical Bitcoins - Denarium.com

Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

spunit262

newbie

Activity: 18

Merit: 0

I want to know how Google found the wallets. Doesn't the fact the Google was even able to find them in the first place imply a deep security problem.
Unless Google found the wallets from data Chrome sent back...

BTC Books

member

Activity: 84

Merit: 10

Well, I've got nothing to do with Instawallet, nor do I use it.

But thank you anyway.

Peter Todd

legendary

Activity: 1120

Merit: 1152

Quote from: Matthew N. Wright on March 27, 2013, 02:29:34 PM

That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?

...or they found another issue and are scrambling to fix it. Or they want(ed) to give the OP a significant reward, but need approval from their investors/board/mom/whatever. Or their kid got sick. Who knows?

I'd have given it at least a week or two myself, and kept my mouth shut about the issue, in case there were more holes I didn't find let alone all the other possible reasons it's taken them more than a day to respond. Besides frankly I think a more appropriate thing to do is simply ask (privately) for credit for finding the issue rather than turning it into drama. Money is nice, but a good reputation is worth more in the long run.

Having said that... services should be rewarding people who find serious bugs, simply to encourage ethical reporting rather than exploitation.

mccorvic

hero member

Activity: 518

Merit: 500

Quote from: the founder on March 27, 2013, 02:33:15 PM

I would have been happy with a thank you, if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

If that is true (I'm not saying it isn't) I think you diluted your message by including an address in you posts.

the founder

sr. member

Activity: 448

Merit: 251

Bitcoin

Quote from: gweedo on March 27, 2013, 02:16:53 PM

So your extorting them? You want bitcoins cause you did the right thing and not STEAL which is morally wrong. Dude be happy you helped 3,000 people not lose there wealth and stop looking for the coins at the end of the road. I would say good you helped fixed an error, but that you are looking for a hand out kinda leaves a bad taste in my mouth.

I would have been happy with a thank you, if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

Quote from: justusranvier on March 27, 2013, 02:21:57 PM

Quote from: cho on March 27, 2013, 02:18:57 PM

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

That's why I contacted them asap.

justusranvier

legendary

Activity: 1400

Merit: 1013

Quote from: cho on March 27, 2013, 02:24:38 PM

it sounds like a very basic mistake to me.

We've heard that story many, many times already. "Due to a really basic mistake I accidentally all your bitcoins."

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?

cho

full member

Activity: 155

Merit: 100

Boar with me

Quote from: justusranvier on March 27, 2013, 02:21:57 PM

Quote from: cho on March 27, 2013, 02:18:57 PM

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

Moreover, that mistake is avoidable with a properly configured robots.txt, it sounds like a very basic mistake to me. That said, it's hard to cover your ass from all the possible mistakes. But that one... Quite a fail.

justusranvier

legendary

Activity: 1400

Merit: 1013

Quote from: cho on March 27, 2013, 02:18:57 PM

Unless thefounder lies or exagerates the issue, which is hard to believe.

If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

cho

full member

Activity: 155

Merit: 100

Boar with me

My opinion : you should have tipped him generously while the topic was hot.
Now that it's cold and thefounder needs to publicly complain about your attitude you should thank him and pay him 6 hours of consulting time, that would be fair. Unless thefounder lies or exagerates the issue, which is hard to believe.
Just my opinion.

Topic: Open Letter to Instawallet - page 2. (Read 7811 times)