Please delete - page 3. | Bitcointalksearch.org

piuk

hero member

Activity: 910

Merit: 1005

Roger has pointed me to this thread.

Roger owns part of blockchain, so has access to the admin panel along with me. The admin panel is very basic but there is the ability to query wallets based on certain information. Recently the ability to query a wallet by bitcoin address was added, when notifications are enabled.

These queries are designed to help users recover a forgotten wallet identifier and is not supposed to be used for any other purpose.

If a wallet is found the results are shown as follows:

[Wallet {email='[email protected]'
, guid='abf66471-fe0a-6820-8977-55d7e8c1f6b2'
, shared_key='XXX-XXX-XXX-XXX'
, secret_phrase='My Secret'
, alias='piuk'
, created=Tue Jan 03 12:52:07 GMT 2012
, updated=Tue Dec 18 19:47:40 GMT 2012
, created_ip='81.187.238.52'
, updated_ip='127.0.0.1'
, sms_number='+44 7525431876'
, country='GBP'}
]

So you have the date the wallet was created, when it was last updated, the ip that created it and the ip that updated it. The secret phrase is the phrase required in order to reset two-factor authentication, not the password. The password, wallet balance, other addresses cannot be viewed.

I am going to change notifications to store SHA256(bitcoin_address) rather than the plain bitcoin address which will remove the ability to lookup a wallet by address entirely.

nethead

sr. member

Activity: 322

Merit: 250

Quote from: MemoryDealers on December 19, 2012, 07:32:01 AM

He has also since threatened my family with the following statement that is obviously directed towards me: "FuckingTheDeadBodyOfRogersMom"

How the threat was made and by what kind of media?
[/quote]

Guess, blockchain secret key

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: CharlieContent on December 19, 2012, 09:35:31 AM

Quote from: MemoryDealers on December 19, 2012, 09:30:50 AM

Otherwise I could have reset your password and taken the money you owe me.

Wow. What a scumbag.

Why should anyone trust you after this? After all, you have no problems going into people's accounts and just taking what you think you are owed in a completely separate business venture. You claim not to be capable, but I'm not sure that I believe a word you say.

BlockChain.info says: "Be your own bank"

What it actually means is: "Open an account at the Roger Ver Bank."

Please look up the difference between "could" and "would"

I would never do such a thing even if I could.

augustocroppo

vip

Activity: 756

Merit: 504

Quote from: MemoryDealers on December 19, 2012, 05:14:12 AM

The Bitcoin address and payments in question are: http://blockchain.info/address/1H4UR5M72Ybpo4zrqWe8JKKYSeN1gxqBcU

What are the transactions ID of the BTC supposedly sent to Nikolaos?

Quote from: MemoryDealers on December 19, 2012, 07:32:01 AM

The current privacy policy states:

But we will disclose these information ...... to protect against misuse or unauthorized use of our website.

I think this falls pretty clearly within that.

That is not what the privacy policy implies. Your policy suggest that you will only disclose personal information only when legally required by a government agency. Moreover, the user did not misused the Internet page.

http://memorydealers.com/terms-and-privacy/

Quote from: MemoryDealers on December 19, 2012, 07:32:01 AM

He has also since threatened my family with the following statement that is obviously directed towards me: "FuckingTheDeadBodyOfRogersMom"

How the threat was made and by what kind of media?

HostFat

staff

Activity: 4270

Merit: 1209

I support freedom of choice

Quote from: MemoryDealers on December 19, 2012, 09:30:50 AM

This is NO PASSWORD RESET for Blockchain.info

If you have a secure password, your money is safe no matter what.

Otherwise I could have reset your password and taken the money you owe me.

Can you contact another admin of blockchain.info and acting as someone else that wants back his own wallet? (and giving the secretpass)
If this is an open possibility, than it's better to find a way to make it harder or better impossible.

Saving the hash of the password seems a good start.

CharlieContent

full member

Activity: 210

Merit: 100

Quote from: MemoryDealers on December 19, 2012, 09:30:50 AM

Otherwise I could have reset your password and taken the money you owe me.

Wow. What a scumbag.

Why should anyone trust you after this? After all, you have no problems going into people's accounts and just taking what you think you are owed in a completely separate business venture. You claim not to be capable, but I'm not sure that I believe a word you say.

BlockChain.info says: "Be your own bank"

What it actually means is: "Open an account at the Roger Ver Bank."

Bitcoinin

newbie

Activity: 44

Merit: 0

Quote from: Raoul Duke on December 19, 2012, 09:28:10 AM

And so it started, the shitstorm: https://bitcointalksearch.org/topic/memorydealerscom-founder-roger-ver-abuses-admin-access-at-blockchaininfo-131608

Blockchain.info has some of the best services for newbies - can we please not scare them off and do as much damage control here as possible?

Deprived

hero member

Activity: 532

Merit: 500

Quote from: MemoryDealers on December 19, 2012, 09:21:17 AM

This is a secret phrase that can be used to help blockchain verify your identity in case of a lost wallet identifier or yubikey or other 2nd factor authentification reset request. It in no way grants access to the account funds in any way.

Basically it is used so Blockchain can verify that they are communicating with the actual account owner or a part-owner of the site or anyone else allowed to just look these up..

FYP

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: nethead on December 19, 2012, 09:27:33 AM

And reset their passwords? maybe?

This is NO PASSWORD RESET for Blockchain.info

If you have a secure password, your money is safe no matter what.

Otherwise I could have reset your password and taken the money you owe me.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

And so it started, the shitstorm: https://bitcointalksearch.org/topic/memorydealerscom-founder-roger-ver-abuses-admin-access-at-blockchaininfo-131608

nethead

sr. member

Activity: 322

Merit: 250

Quote from: MemoryDealers on December 19, 2012, 09:21:17 AM

Quote from: greyhawk on December 19, 2012, 09:17:07 AM

Quote from: MemoryDealers on December 19, 2012, 09:15:31 AM

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

NO, this is not possible.

If it was, I could have just taken my money back, and none of this would have been an issue.

What is this then?

Quote

secret_phrase='Neurobion'

Sincere question, I've never used bitchain.

This is a secret phrase that can be used to help blockchain verify your identity in case of a lost wallet identifier or yubikey or other 2nd factor authentification reset request. It in no way grants access to the account funds in any way.

Basically it is used so Blockchain can verify that they are communicating with the actual account owner.

And reset their passwords? maybe?

Ill try to stay ontopic: Just a reminder I do not owe you anything. I got what i have sent you, then the address was gotten by someone else. It WAS anon. And i re-request proof which you dont give that it isnt

Also, why some people try to get into my account? I got my funds away as soon as he showed me that he has access to that info, MY info!

ribuck

donator

Activity: 826

Merit: 1060

Quote from: MemoryDealers on December 19, 2012, 09:21:17 AM

This is a secret phrase that can be used to help blockchain verify your identity in case of a lost wallet identifier or yubikey or other 2nd factor authentification reset request. It in no way grants access to the account funds in any way.

Basically it is used so Blockchain can verify that they are communicating with the actual account owner.

So obviously it needs to be securely hashed, or else anyone who compromises the database (or has authorised access to it) can impersonate the actual account owner.

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: HostFat on December 19, 2012, 09:18:51 AM

I want to know every informations that an admin of blockchain.info can see.
I thought that most of them were encrypted...

It is all encrypted, but it depends on your privacy settings.

Quoted from: https://blockchain.info/wallet/anonymity

Alerts Disabled: If you have notifications disabled your public keys are stored encrypted inside your wallet. In this mode we are unable to view your public keys and hence cannot view your balance or transactions.

Alerts Enabled: When notifications are enabled your public keys are inserted in a separate table along with your email, skype handle or google talk username. This mode does sacrifice some Anonymity as we can now see your public keys and view your wallet balance. However just because a wallet contains a public key does not necessarily mean they are the owner of said key (as you can add keys without the respective private key).

In this case the scammer with my bitcoins had Alerts enabled for his wallet, so I could easily verify %100 for sure that he has my money in his Blockchain wallet.

If he had his alerts set to Disabled, I wouldn't know if he really had my money or not.

John (John K.)

legendary

Activity: 1288

Merit: 1227

Away on an extended break

Quote from: greyhawk on December 19, 2012, 09:17:07 AM

Quote from: MemoryDealers on December 19, 2012, 09:15:31 AM

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

NO, this is not possible.

If it was, I could have just taken my money back, and none of this would have been an issue.

What is this then?

Quote

secret_phrase='Neurobion'

Sincere question, I've never used bitchain.

That would be a key to retrieve wallet identifiers or disable the 2FA:

Quote

Secret Phrase
A secret phrase can be set in your "Account Details" panel after login. In the case of lost wallet identifiers, yubikeys or lost email access the secret phrase can be given to us to help verify account ownership. This is reviewed manually on a case by case basis.

The password used to encrypt the wallet containing the privkeys is not sent to the server.

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: greyhawk on December 19, 2012, 09:17:07 AM

Quote from: MemoryDealers on December 19, 2012, 09:15:31 AM

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

NO, this is not possible.

If it was, I could have just taken my money back, and none of this would have been an issue.

What is this then?

Quote

secret_phrase='Neurobion'

Sincere question, I've never used bitchain.

This is a secret phrase that can be used to help blockchain verify your identity in case of a lost wallet identifier or yubikey or other 2nd factor authentification reset request. It in no way grants access to the account funds in any way.

Basically it is used so Blockchain can verify that they are communicating with the actual account owner.

HostFat

staff

Activity: 4270

Merit: 1209

I support freedom of choice

I want to know every informations that an admin of blockchain.info can see.
I thought that most of them were encrypted...

greyhawk

hero member

Activity: 952

Merit: 1009

Quote from: MemoryDealers on December 19, 2012, 09:15:31 AM

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

NO, this is not possible.

If it was, I could have just taken my money back, and none of this would have been an issue.

What is this then?

Quote

secret_phrase='Neurobion'

Sincere question, I've never used bitchain.

nethead

sr. member

Activity: 322

Merit: 250

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

I guess but this is not the case. He admited that he has access to the given info, dont know if he can manage too

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: ThomasV on December 19, 2012, 09:13:10 AM

Roger, can you please cool down, blank your first post, and seek a better outcome than a flamewar?

I don't want the next news article about Bitcoin to be entitled "In the lawless Bitcoin world, business owners seek revenge by publishing customer information"

Done.

MemoryDealers

vip

Activity: 1052

Merit: 1155

Quote from: greyhawk on December 19, 2012, 09:13:49 AM

Wait, wait, wait. So Roger Ver has access to see users wallet passwords in plaintext? So he can theoretically log in to any account on Blockchain.info and send himself whatever he wants? Blaming it on "hackers"? Is that what is happening here?

NO, this is not possible.

If it was, I could have just taken my money back, and none of this would have been an issue.

Topic: Please delete - page 3. (Read 23111 times)