Author

Topic: Open Letter to Instawallet (Read 7837 times)

sr. member
Activity: 448
Merit: 251
Bitcoin
March 29, 2013, 11:19:00 PM
#50
Google Webmaster Tools
Ban Directory from being listed (not indexed, listed)

I'm locking this thread.

full member
Activity: 211
Merit: 100
"Living the Kewl Life"
March 29, 2013, 10:37:03 PM
#49
you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.

Right now Instawallet doesn't refer anything from out of its domain, and even links to outgoing sites are protected behind a redirect wall to prevent the target websites from getting the wallet URL in the referrer. But don't forget that Instawallet had another owner and previously had a different design, and they may have at some point used Google Analytics or a G+ share button. It would be good to know what's the age of the wallets that were indexed by Google (so we could link them to a certain timespan). And some simple experiences are enough to find out if Google parses chat and emails for URLs and crawls them (create random address on your server, post it nowhere but on a email/chat and wait for a Googlebot hit).

good point. didn't notice that before.
raises the question, what exactly did the OP do? LOL
sr. member
Activity: 306
Merit: 250
Donations: http://tny.im/nx
March 29, 2013, 06:41:18 PM
#48
you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.

Right now Instawallet doesn't refer anything from out of its domain, and even links to outgoing sites are protected behind a redirect wall to prevent the target websites from getting the wallet URL in the referrer. But don't forget that Instawallet had another owner and previously had a different design, and they may have at some point used Google Analytics or a G+ share button. It would be good to know what's the age of the wallets that were indexed by Google (so we could link them to a certain timespan). And some simple experiences are enough to find out if Google parses chat and emails for URLs and crawls them (create random address on your server, post it nowhere but on a email/chat and wait for a Googlebot hit).
hero member
Activity: 899
Merit: 1002
March 29, 2013, 12:36:33 AM
#47
Davouts profile says he won't be around until Mar 31, though I doubt he will give you a penny anyways. Read this for future disclosure of security holes to vendors, and why you shouldn't do anything because you'll just get fucked one way or another http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/
full member
Activity: 211
Merit: 100
"Living the Kewl Life"
March 29, 2013, 12:28:29 AM
#46
Deal!  what's your business url and I will let you know via PM.  If it is client impacting and is helpful for you then send me some coins.  I dont' think they were random either..  I strongly suspect I know what did it and you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.

well... i just discovered your other thread regarding this topic and i'm beginning to have my doubts
https://bitcointalksearch.org/topic/m.1695310

honestly, until you convince me otherwise this appears to be a whole lot of FUD.

i'm fairly certain that i would have little to no exposure to a similar security risk, given the design of my site and the fact that i don't use ANY google services and have no intention of doing so (but, i'm still guessing as to the basis of your find).

my motivation here is to encourage others to "do the right thing" and report bugs, flaws, etc when they find them; instead of trying to exploit them for profit; and in turn be rewarded for their service. i believe a bug/flaw reward program is something that more companies should offer, especially in the high security, high value world that is Bitcoin.

our service, currently in development is:
https://www.btcvillage.nl
and until i have an opportunity to publish a formal reward program (certainly before we launch), i welcome you (and anyone else for that matter) to review our platform and report their findings. and i can assure that i WILL be grateful for ANY valid discoveries and show my appreciation with a reasonable amount of monetary compensation
sr. member
Activity: 448
Merit: 251
Bitcoin
March 28, 2013, 07:04:07 PM
#45
The cause is honestly two fold ,  a lack of SEO experience on Instawallet's side,  and a lack of complete honesty from Google's side.

Google's Definition of Robots.Txt file isn't what you guys think it is.

1. You guys all believe it's not a "do not list these directories and pages"  
2. Google's definition is "do not spider these directories and pages"

They are NOT the same definition.  Not even close.

that's pretty much how i understood it. what i don't get (and the million bitcoin question) is how did google manage to index 3000 random urls in the first place?

i can only assume that it was a related google service acting stealthily on the site (e.g. analytics, google+, etc). again, i'm not so concerned about how you fixed it, so much as to how it happened in the first place.

if this turns out to be an issue that could affect my own business, i'd be more than willing to donate to ur discovery.

Deal!  what's your business url and I will let you know via PM.  If it is client impacting and is helpful for you then send me some coins.  I dont' think they were random either..  I strongly suspect I know what did it and you're going down the right path asking questions if Anaylitics, Google+, Google Chat, Gmail, etc were to blame.

.htaccess is king when if comes to that.

That is one way to fix it,  but it's not the only way ... .htaccess is sort of like a broad sword last ditch coverage attempt...  IE: plan C (if A and B fail) but definitely one of the right things to do because we're all human and we really can never catch everything.



full member
Activity: 211
Merit: 100
"Living the Kewl Life"
March 28, 2013, 03:47:52 PM
#44
The cause is honestly two fold ,  a lack of SEO experience on Instawallet's side,  and a lack of complete honesty from Google's side.

Google's Definition of Robots.Txt file isn't what you guys think it is.

1. You guys all believe it's not a "do not list these directories and pages"  
2. Google's definition is "do not spider these directories and pages"

They are NOT the same definition.  Not even close.

that's pretty much how i understood it. what i don't get (and the million bitcoin question) is how did google manage to index 3000 random urls in the first place?

i can only assume that it was a related google service acting stealthily on the site (e.g. analytics, google+, etc). again, i'm not so concerned about how you fixed it, so much as to how it happened in the first place.

if this turns out to be an issue that could affect my own business, i'd be more than willing to donate to ur discovery.
hero member
Activity: 812
Merit: 587
Space Lord
March 28, 2013, 02:59:32 PM
#43
.htaccess is king when if comes to that.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 28, 2013, 01:56:58 PM
#42
My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.


considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.

i'd actually be much more interested in the cause than the fix anyway.

The cause is honestly two fold ,  a lack of SEO experience on Instawallet's side,  and a lack of complete honesty from Google's side.

Google's Definition of Robots.Txt file isn't what you guys think it is.

1. You guys all believe it's not a "do not list these directories and pages"  
2. Google's definition is "do not spider these directories and pages"

They are NOT the same definition.  Not even close.



legendary
Activity: 952
Merit: 1000
March 28, 2013, 10:20:40 AM
#41
I remember this exact same thing happening last year.
Already searched the forum and couldn't find anything.

This issue has already been discussed a few times here: https://coinad.com/?m=chat

Also, Google doesn't magically get those links.
Someone must have posted them online somewhere.
hero member
Activity: 812
Merit: 587
Space Lord
March 28, 2013, 10:06:37 AM
#40
Users can't protect from that.
Google indexed 3k wallets. You could see them just by typing site:instawallet.org

No, I didn't steal anything and yes, Google removed the links.
full member
Activity: 211
Merit: 100
"Living the Kewl Life"
March 28, 2013, 09:25:21 AM
#39
My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.


considering your good intentions in working with the team at instawallet to fix their problem, don't you think it would also be a good idea to proactively help others avoid making the same mistakes? i don't want to make any assumptions as to why they neglected to offer so much as a thank you, but this news is disturbing to myself and i'm sure others as to what google (bing, yahoo, etc) are doing behind the curtain that could be exposing this community to security risks.

i'd actually be much more interested in the cause than the fix anyway.
hero member
Activity: 812
Merit: 587
Space Lord
March 28, 2013, 01:20:56 AM
#38
This shit really happened?  Shocked
full member
Activity: 151
Merit: 100
March 28, 2013, 01:07:55 AM
#37
they also say they have 3,465,851 wallets, now that is huge
full member
Activity: 151
Merit: 100
March 28, 2013, 12:54:36 AM
#36
is instawallet really that bad?

here is my wallet Smiley

https://instawallet.org/w/youcanputanyrandomkeyandddosthemcool
legendary
Activity: 1190
Merit: 1001
March 27, 2013, 10:57:45 PM
#35
The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.

I think you hit the nail on the head.  Your browser history/bookmarks are not considered "secret" and plugins may be able to access it.  Once a less than honorable plugin has your history data they can just scan it for "instawallet" and report back all your wallets.

I'm guessing these URLs were gathered from Google chrome data collection.

They really need to stick a password on wallets.
member
Activity: 84
Merit: 10
Correct Horse Battery Staple
March 27, 2013, 10:50:53 PM
#34
LOL!  Cheesy

Robots.txt is not for security. It is for obscurity!

This attack will happen sooner or later, google or no google.  Roll Eyes

It is too easy if you just need a URL

full member
Activity: 237
Merit: 101
March 27, 2013, 10:06:30 PM
#33
Wow, over 900 wallets exposed at easywallet using the same trick....!

I haven't used those online wallets before. Are they just supposed to be for quick, in-and-out kinds of transactions?
hero member
Activity: 518
Merit: 500
March 27, 2013, 09:05:47 PM
#32
That`s fun Smiley The mistake thing, not the situation it caused...nope, both are fun Smiley
According to what has been said, mistake was stupid, so I guess it was connected with referrer flaw - there was an external resource on page or link to some google service.
donator
Activity: 1468
Merit: 1052
I outlived my lifetime membership:)
March 27, 2013, 08:25:11 PM
#31
That trick works on easywallet too. Hope you're as rich as I am.
sr. member
Activity: 306
Merit: 250
Donations: http://tny.im/nx
March 27, 2013, 06:12:26 PM
#30
When I was halfway through reading your thread about it yesterday, and reading about "100 BTC maximum", Instawallet came to my mind, but the only thing I thought that could be exploitable was something like the form to send Bitcoins out of the wallet, or the API (which is very simple). It never occurred to me that it could be something so simple as Google indexing.
At the same time it makes me wonder; who would post loaded wallet URLs on a place Google could access (because search engines don't guess URLs)? Or should the question be the other way around: is Google getting URLs to scan from places other than web pages (e.g. Google Chat, Chrome...)?
Thanks for discovering googling the issue. It would be great if everyone followed your example.
full member
Activity: 152
Merit: 100
March 27, 2013, 05:48:29 PM
#29
Asking Google not to crawl sensitive pages is a basic foundation of privacy.
legendary
Activity: 873
Merit: 1000
March 27, 2013, 05:25:04 PM
#28
I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

if that just happened maybe they were still investigating.   for instance, if a person knows how to get google to explicitly index an url, then maybe that person could make it look like a security vulnerability exists by creating and funding some wallets then asking instawallet for a reward for "discovering" it -- when no legitimate customer funds were at risk.

so you might be jumping to a conclusion.
hero member
Activity: 518
Merit: 500
March 27, 2013, 05:07:49 PM
#27
One time in the early 90s my dad's car phone was stolen and he put up flyers saying "reward". He didn't reward the guy who brought it back.  So, there's that.
hero member
Activity: 490
Merit: 500
March 27, 2013, 04:57:45 PM
#26
i knew about this for for ages...

just google:  site:instawallet.org w

And you would get all the public urls...

Most urls were empty anyway.
legendary
Activity: 1946
Merit: 1035
March 27, 2013, 04:19:30 PM
#25
The entire no-security concept of Instawallet seems broken by design.

Browsers and software in general seldom consider URLs to be secret. As a result, it is easy for many browser plugins or extensions to collect (listen to) every URL accessed by the browser, including https ones, and send them to some database. I also believe many cloud services may exchange bookmarks or such things without proper encryption.

Then, the result of the database can be crawled or indexed by any search engine, and spread across search engines. Legit ones follow the instructions of robots.txt, but non-legit ones could easily spy on Instawallet URLs.

As a software dev I just can't believe that instawallets are not secured by anything, their sole URLs can't be considered as securable, IMO.

That said, I can neither believe they didn't put the robots.txt from the very start, now they seem to have gone so far as to render their very homepage (https) unaccessible to Google!

As for the non-reward, it's also puzzling to say the least... like you bring back an opened safe that was "lost on the street" to a business owner and not getting anything in return, oh well... keep us posted.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 03:58:58 PM
#24
My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.

I don't think it's a good idea to lay out how I fixed instawallet's problem,  but I am fairly certain that Google won't be spidering wallets unless my friends in France decide to do something they shouldn't.
hero member
Activity: 726
Merit: 500
March 27, 2013, 03:56:49 PM
#23
My understanding of the https protocol is that only the host name is visible to an attacker.  Once they are sure the site is locked down, I'd appreciate knowing what the specific vulnerability was.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 03:37:15 PM
#22
Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.

There were coins in those wallets.   If someone less than honorable found that they could have easily yesterday cleared off $10,000 worth of bitcoins in a few minutes flat.

legendary
Activity: 2184
Merit: 1056
Affordable Physical Bitcoins - Denarium.com
March 27, 2013, 03:26:16 PM
#21
Well, I don't know what the issue was with Instawallet, but even with Easywallet you can find a lot of wallets from Google. But they are not user wallets. Google robots can make as many wallets as they want but they won't contain anything.

If there was indeed a leak of user wallets, that is a serious issue to say the least.
newbie
Activity: 18
Merit: 0
March 27, 2013, 03:23:57 PM
#20
I want to know how Google found the wallets. Doesn't the fact the Google was even able to find them in the first place imply a deep security problem.
Unless Google found the wallets from data Chrome sent back...
member
Activity: 84
Merit: 10
March 27, 2013, 03:15:33 PM
#19
Well, I've got nothing to do with Instawallet, nor do I use it.

But thank you anyway.
legendary
Activity: 1120
Merit: 1164
March 27, 2013, 03:11:01 PM
#18
That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?

...or they found another issue and are scrambling to fix it. Or they want(ed) to give the OP a significant reward, but need approval from their investors/board/mom/whatever. Or their kid got sick. Who knows?

I'd have given it at least a week or two myself, and kept my mouth shut about the issue, in case there were more holes I didn't find let alone all the other possible reasons it's taken them more than a day to respond. Besides frankly I think a more appropriate thing to do is simply ask (privately) for credit for finding the issue rather than turning it into drama. Money is nice, but a good reputation is worth more in the long run.

Having said that... services should be rewarding people who find serious bugs, simply to encourage ethical reporting rather than exploitation.
hero member
Activity: 518
Merit: 500
March 27, 2013, 03:02:16 PM
#17
I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

If that is true (I'm not saying it isn't) I think you diluted your message by including an address in you posts.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:33:15 PM
#16
So your extorting them? You want bitcoins cause you did the right thing and not STEAL which is morally wrong. Dude be happy you helped 3,000 people not lose there wealth and stop looking for the coins at the end of the road. I would say good you helped fixed an error, but that you are looking for a hand out kinda leaves a bad taste in my mouth.

I would have been happy with a thank you,  if extorting them is wondering why I never got thanked then I take issue with your definition of extortion.

Unless thefounder lies or exagerates the issue, which is hard to believe.
If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.

That's why I contacted them asap.



legendary
Activity: 1400
Merit: 1013
March 27, 2013, 02:31:27 PM
#15
it sounds like a very basic mistake to me.
We've heard that story many, many times already. "Due to a really basic mistake I accidentally all your bitcoins."
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
March 27, 2013, 02:29:34 PM
#14
That's enough grandstanding, TheFounder. Kicking and screaming is going to push them to ignore you even more.

As for instawallet, they're probably embarrassed and considering how to respond. Give them time. What is it with this community and an inherent sense of entitlement?
cho
full member
Activity: 155
Merit: 100
Boar with me
March 27, 2013, 02:24:38 PM
#13
Unless thefounder lies or exagerates the issue, which is hard to believe.
If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.
Moreover, that mistake is avoidable with a properly configured robots.txt, it sounds like a very basic mistake to me. That said, it's hard to cover your ass from all the possible mistakes. But that one... Quite a fail.
legendary
Activity: 1400
Merit: 1013
March 27, 2013, 02:21:57 PM
#12
Unless thefounder lies or exagerates the issue, which is hard to believe.
If the screenshots are true (likely) he just saved their business from total ruin. That flaw could have resulted in a 100% loss of Bitcoins for every single Instawallet user. It would have been the next Bitcoinica.
cho
full member
Activity: 155
Merit: 100
Boar with me
March 27, 2013, 02:18:57 PM
#11
My opinion : you should have tipped him generously while the topic was hot.
Now that it's cold and thefounder needs to publicly complain about your attitude you should thank him and pay him 6 hours of consulting time, that would be fair. Unless thefounder lies or exagerates the issue, which is hard to believe.
Just my opinion.
hero member
Activity: 518
Merit: 500
March 27, 2013, 02:17:29 PM
#10
Did you tell them up front that you'd be demanding payment?

No I didn't care if it was payment or thank you (I would have liked payment more) but I got neither.


Well, maybe you should of told them first.  Would have probably saved you the time of posting this thread if you had.
legendary
Activity: 1498
Merit: 1000
March 27, 2013, 02:16:53 PM
#10
Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656


So your extorting them? You want bitcoins cause you did the right thing and not STEAL which is morally wrong. Dude be happy you helped 3,000 people not lose there wealth and stop looking for the coins at the end of the road. I would say good you helped fixed an error, but that you are looking for a hand out kinda leaves a bad taste in my mouth.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:16:29 PM
#9
Did you tell them up front that you'd be demanding payment?

No I didn't care if it was payment or thank you (I would have liked payment more) but I got neither.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:15:11 PM
#8
The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  Cheesy

Agreed! Hat tip to you, sir.

LOL hat tip here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

Seriously it would shove a thank you down their throat if people donated realizing I did what instawallet should have.
hero member
Activity: 518
Merit: 500
March 27, 2013, 02:14:38 PM
#7
Did you tell them up front that you'd be demanding payment?
hero member
Activity: 609
Merit: 506
March 27, 2013, 02:13:52 PM
#6
The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  Cheesy

Agreed! Hat tip to you, sir.
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:13:43 PM
#5
The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  Cheesy

You can nominate me here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

Seriously it's wrong what Instawallet did...  I spent a whole day fixing their crap.  they won't even say thanks or give me a Satoshi.

legendary
Activity: 1106
Merit: 1001
March 27, 2013, 02:11:45 PM
#4
The day we institute a Bitcoin Citizen of the Month award, I nominate The Founder  Cheesy
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:11:33 PM
#3
Great to hear!

You should read the whole article... 


Quote
After spending 6 hours of my time trying to fix your problem, a problem that I didn’t create, nor really discover. What happened was Google indexed them. I ran a site command working on a clients site and cut and pasted instwallet rather than the clients url by accident, I was then greeted with the bitcoins of 3000 of your users.

I did what any responsible person should do, I contacted you.

At the end of a day’s work helping and SOLVING your security flaw, I stated “you should tip me some bitcoins Smiley
Of course you disappeared.

Would it really have hurt you to say thanks
sr. member
Activity: 300
Merit: 250
BitcoinStarter.com Support Account
March 27, 2013, 02:08:52 PM
#2
Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656


Great to hear!
sr. member
Activity: 448
Merit: 251
Bitcoin
March 27, 2013, 02:07:42 PM
#1
Dear Instawallet,

Yesterday I discovered a security flaw with your site, I spent nearly 6 hours working with David Francois Chief Technology Officer at Paymium

The security flaw impacted roughly 3000 people that use Instawallet and indirectly Paymimum, Paytunia, Instawire, and Bitcoin Central as all of these companies are yours.

After 6 hours of work, I can finally confirm that the security flaw is fixed. The security flaw was serious in my opinion, As all the URL’s of roughly 3000 people were publicly listed.

http://www.adaptiveglass.com/?p=656
Jump to: