technical question - is a fake unconfirmed transaction possible?

michagogo

member

Activity: 80

Merit: 10

Quote from: e4xit on November 19, 2013, 05:58:18 AM

Holy shitballs dude, decent coinflow through your address Wink

https://blockchain.info/address/1DkyBEKt5S2GDtv7aQw6rQepAvnsRyHoYM?offset=650&filter=0

I don't think that 1DkyBEKt5S2GDtv7aQw6rQepAvnsRyHoYM is his address.

Quote from: gmaxwell on August 19, 2013, 05:07:58 PM

I manually authored a transaction which claimed to spend some coin which belonged to someone else, and claimed to pay me 21m BTC... and submitted it through their raw txn submission interface. The site pretty much validated nothing in the past.

e4xit

sr. member

Activity: 302

Merit: 250

Quote from: gmaxwell on August 19, 2013, 04:45:50 PM

Depends on what you mean by fake and who you trust to tell you about it (a real screenshot someone took of some fun and games I had at bc.i, ... they subsequently fixed that particular bug).

Holy shitballs dude, decent coinflow through your address Wink

https://blockchain.info/address/1DkyBEKt5S2GDtv7aQw6rQepAvnsRyHoYM?offset=650&filter=0

Also, what is your opinion on the blockchain.info coinjoin implementation? Now that it is running at 0% fee, is it worth sticking everything through the 10 iterations, or what?

Andrey

hero member

Activity: 588

Merit: 500

Quote from: gmaxwell on August 19, 2013, 05:07:58 PM

I manually authored a transaction which claimed to spend some coin which belonged to someone else, and claimed to pay me 21m BTC... and submitted it through their raw txn submission interface. The site pretty much validated nothing in the past.

These days it seems to pass everything through a standard Bitcoin node, so its potentially less vulnerable to this kind of funny business, though it also fails to display a lot valid but unusual transactions. Though I did pull of an in-transaction XSS attack against it last week.

Quote from: og kush420 on August 19, 2013, 05:01:34 PM

before it is verified, the recipient still knows there is an incoming transaction, even though is not verified, correct? i have seen this on clients, like " incoming transaction, 0/6" is this correct? so what if you send bitcoins that don't exist without this step "send it the 8+ nodes you are connected to."

Absent bugs the reference software can't be tricked this way.

I am not very good in bitcoin internals, but it seems some tricks are still could be done with blockchain.info . Here is the fake transaction trying to make public believe that bitbonanza auction deposit was done by bitbonanza itself. https://blockchain.info/ru/address/12kBb6UA5ZCXkDgrivpBa9jwmbquH7MGod

smolen

hero member

Activity: 524

Merit: 500

Quote from: gmaxwell on August 19, 2013, 09:14:41 PM

No, I put javascript in the actual script of a transaction with it decoded and displayed without escaping.

The next thing to worry are SQL injections

gmaxwell

staff

Activity: 4284

Merit: 8808

Quote from: og kush420 on August 19, 2013, 08:57:23 PM

How did you pull of the xss? im guessing you put javascript in the comment thing? i have seen them on the page

No, I put javascript in the actual script of a transaction with it decoded and displayed without escaping.

og kush420

full member

Activity: 1050

Merit: 110

Quote from: gmaxwell on August 19, 2013, 05:07:58 PM

I manually authored a transaction which claimed to spend some coin which belonged to someone else, and claimed to pay me 21m BTC... and submitted it through their raw txn submission interface. The site pretty much validated nothing in the past.

These days it seems to pass everything through a standard Bitcoin node, so its potentially less vulnerable to this kind of funny business, though it also fails to display a lot valid but unusual transactions. Though I did pull of an in-transaction XSS attack against it last week.

Quote from: og kush420 on August 19, 2013, 05:01:34 PM

before it is verified, the recipient still knows there is an incoming transaction, even though is not verified, correct? i have seen this on clients, like " incoming transaction, 0/6" is this correct? so what if you send bitcoins that don't exist without this step "send it the 8+ nodes you are connected to."

Absent bugs the reference software can't be tricked this way.

How did you pull of the xss? im guessing you put javascript in the comment thing? i have seen them on the page

Code:

Public Note:

gmaxwell

staff

Activity: 4284

Merit: 8808

I manually authored a transaction which claimed to spend some coin which belonged to someone else, and claimed to pay me 21m BTC... and submitted it through their raw txn submission interface. The site pretty much validated nothing in the past.

These days it seems to pass everything through a standard Bitcoin node, so its potentially less vulnerable to this kind of funny business, though it also fails to display a lot valid but unusual transactions. Though I did pull of an in-transaction XSS attack against it last week.

Quote from: og kush420 on August 19, 2013, 05:01:34 PM

before it is verified, the recipient still knows there is an incoming transaction, even though is not verified, correct? i have seen this on clients, like " incoming transaction, 0/6" is this correct? so what if you send bitcoins that don't exist without this step "send it the 8+ nodes you are connected to."

Absent bugs the reference software can't be tricked this way.

og kush420

full member

Activity: 1050

Merit: 110

Quote from: TierNolan on August 19, 2013, 04:13:17 PM

Quote from: og kush420 on August 19, 2013, 04:07:38 PM

is it possible to send a fake/spoofed unconfirmed transaction? no i do not plan on doing this, but i just had the thought looking on blockchain.
sorry if this is a noob question. and i did search google before asking this...

Fake in what way?

The process for spending money is to create a transaction and send it the 8+ nodes you are connected to.

They verify it and then send it onward.

I think they might not forward transactions unless they know about all the inputs.

before it is verified, the recipient still knows there is an incoming transaction, even though is not verified, correct? i have seen this on clients, like " incoming transaction, 0/6" is this correct? so what if you send bitcoins that don't exist without this step "send it the 8+ nodes you are connected to."

og kush420

full member

Activity: 1050

Merit: 110

Quote from: gmaxwell on August 19, 2013, 04:45:50 PM

Depends on what you mean by fake and who you trust to tell you about it (a real screenshot someone took of some fun and games I had at bc.i, ... they subsequently fixed that particular bug).

woh, nice haha, that is what im talking about, how did you do that?

gmaxwell

staff

Activity: 4284

Merit: 8808

Depends on what you mean by fake and who you trust to tell you about it (a real screenshot someone took of some fun and games I had at bc.i, ... they subsequently fixed that particular bug).

TierNolan

legendary

Activity: 1232

Merit: 1094

Quote from: og kush420 on August 19, 2013, 04:07:38 PM

is it possible to send a fake/spoofed unconfirmed transaction? no i do not plan on doing this, but i just had the thought looking on blockchain.
sorry if this is a noob question. and i did search google before asking this...

Fake in what way?

The process for spending money is to create a transaction and send it the 8+ nodes you are connected to.

They verify it and then send it onward.

I think they might not forward transactions unless they know about all the inputs.

og kush420

full member

Activity: 1050

Merit: 110

is it possible to send a fake/spoofed unconfirmed transaction? no i do not plan on doing this, but i just had the thought looking on blockchain.
sorry if this is a noob question. and i did search google before asking this...

Topic: technical question - is a fake unconfirmed transaction possible? (Read 1529 times)