Here's the data request on /getbalance.php
That's base64 encoding. Can someone try to base64decode it and post the output here (in hex, if it is binary)?
Topic: xmrwallet.com steals your private keys (Read 128 times)
That's base64 encoding. Can someone try to base64decode it and post the output here (in hex, if it is binary)?
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.
Until this user posts some actual evidence, I'm not one to say. It's been out there a while, so yeah it's technically open source, but can you understand it?
Maybe this is it?
https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755
I have edited my post above upon checking the website. Other files were not existing in the repo. So it's good to say that the project is not fully open source in my POV as i can't read the /app.js as it's obsfucated, especially the POST data requests.
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.
Until this user posts some actual evidence, I'm not one to say. It's been out there a while, so yeah it's technically open source, but can you understand it?
Maybe this is it?
https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755
That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.
Edit: I checked the website, OP is talking right with data request to /getbalance.php in the /app.js, but you can't read the actual code because it's been obfuscate and i checked the github repo and there's no /getbalance.php file.
Here's the data request on /getbalance.php
Edit: I checked the website, OP is talking right with data request to /getbalance.php in the /app.js, but you can't read the actual code because it's been obfuscate and i checked the github repo and there's no /getbalance.php file.
Here's the data request on /getbalance.php
Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.
Can you bring some of the posts from the web so that we know some victims. Losing a coin from any wallet mostly users fault. Even after more than a decade, still a majority of the crypto users do not know the usual practices of securing their wallet. I have know people who kept their backup on Google Drive. 
I don't know about programming and code, but when I checked their repository on GitHub. I don't to see any open ior closed ssue talking about the vulnerability or stealing off private keys. Don't you think it would be a good thing to open up an issue about it over there for all to see?
https://github.com/XMRWallet/Website/issues
https://github.com/XMRWallet/Website/issues
Interesting. Never heard of this. 6 years and its on github?
Can you show or tell me where in the tree this file that does this resides please?
https://github.com/XMRWallet/Website/tree/master/src/js
Thanks!
Can you show or tell me where in the tree this file that does this resides please?
https://github.com/XMRWallet/Website/tree/master/src/js
Thanks!
There's this long-running Monero web wallet xmrwallet.com
They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.
Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.
Also the owner is using an obviously fake persona, doesn't take genius to see that.
It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.
They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.
Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.
Also the owner is using an obviously fake persona, doesn't take genius to see that.
It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.
Jump to: