Author

Topic: xmrwallet.com steals your private keys (Read 151 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 12, 2024, 11:38:51 AM
#8
Here's the data request on /getbalance.php


That's base64 encoding. Can someone try to base64decode it and post the output here (in hex, if it is binary)?
hero member
Activity: 1554
Merit: 880
pxzone.online
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Until this user posts some actual evidence, I'm not one to say. It's been out there  a while, so yeah it's technically open source, but can you understand it?

Maybe this is it? Grin

https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755
The monero.js is an open source made by others to create a wallet and other monero-related stuff.

I have edited my post above upon checking the website. Other files were not existing in the repo. So it's good to say that the project is not fully open source in my POV as i can't read the /app.js as it's obsfucated, especially the POST data requests.
legendary
Activity: 3570
Merit: 1959
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Until this user posts some actual evidence, I'm not one to say. It's been out there  a while, so yeah it's technically open source, but can you understand it?

Maybe this is it? Grin

https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755

hero member
Activity: 1554
Merit: 880
pxzone.online
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Edit: I checked the website, OP is talking right with data request to /getbalance.php in the /app.js, but you can't read the actual code because it's been obfuscate and i checked the github repo and there's no /getbalance.php file.

Here's the data request on /getbalance.php


legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.
Can you bring some of the posts from the web so that we know some victims. Losing a coin from any wallet mostly users fault. Even after more than a decade, still a majority of the crypto users do not know the usual practices of securing their wallet. I have know people who kept their backup on Google Drive.
legendary
Activity: 2338
Merit: 1261
Heisenberg
I don't know about programming and code, but when I checked their repository on GitHub. I don't to see any open ior closed ssue talking about the vulnerability or stealing off private keys. Don't you think it would be a good thing to open up an issue about it over there for all to see?

https://github.com/XMRWallet/Website/issues
legendary
Activity: 3570
Merit: 1959
Interesting. Never heard of this. 6 years and its on github?

Can you show or tell me where in the tree this file that does this resides please?

https://github.com/XMRWallet/Website/tree/master/src/js

Thanks!
newbie
Activity: 1
Merit: 0
There's this long-running Monero web wallet xmrwallet.com

They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.

Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.

Also the owner is using an obviously fake persona, doesn't take genius to see that.

It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.
Jump to: