Silk Road forums

Discussion => Security => Topic started by: Heyenezz on February 18, 2012, 07:06 am

Title: Instawallet Security?
Post by: Heyenezz on February 18, 2012, 07:06 am
I use instawallet (www.instawallet.org) to launder bitcoins.

How secure would my bitcoins be against theft? Bitcoin addresses are in the public block chain, but I don't see how someone could tell which ones where instawallet addresses. Even then, they couldn't necessarily access them because you need the unique URL to do that.

Am I missing something here?

Thanks for any help!
Title: Re: Instawallet Security?
Post by: a_blackbird on February 18, 2012, 07:09 am
Assuming there's no weakness in the instawallet code that would allow someone to do an SQL injection and get the list of wallet URLs, I think your bitcoins are probably fairly secure.  Just having a BTC address wouldn't be enough to get the URL, and aside from the instawallet "green address", there's nothing about a particular BTC address that would indicate anything about it belonging to instawallet.

IMHO, the greatest risk to your BTC at instawallet is your own memory or lack of care in keeping track of your wallet URL.
Title: Re: Instawallet Security?
Post by: Heyenezz on February 18, 2012, 07:43 am
Assuming there's no weakness in the instawallet code that would allow someone to do an SQL injection and get the list of wallet URLs, I think your bitcoins are probably fairly secure.  Just having a BTC address wouldn't be enough to get the URL, and aside from the instawallet "green address", there's nothing about a particular BTC address that would indicate anything about it belonging to instawallet.

IMHO, the greatest risk to your BTC at instawallet is your own memory or lack of care in keeping track of your wallet URL.

I've read that phrase "SQL injection." What is it? I access instawallet using Tor if that makes any difference.

I book mark all my instawallet pages.
Title: Re: Instawallet Security?
Post by: a_blackbird on February 18, 2012, 08:00 am
An SQL injection is an attack against a web server (usually) whereby the attacker is able to circumvent any sort of input-sanitizing code (or maybe there is no input-sanitizing code) and get some arbitrary queries to run against the database.  For example, suppose a website has a form on it that asks for a username and then passes that data directly to a database query without doing any kind of input checking.

$username = read_from_form;
run_query("SELECT foo FROM users WHERE username = $username ");
...

The would-be attacker might enter something like :
Code: [Select]
'baz' OR 1=1; DROP table users;

And the script might actually delete the users table - because it didn't properly handle the user input and it sees two valid SQL queries and tries to execute them both.  Or, instead of dropping the user table, you might try to select all the data from the user table, or see what other tables are available and pull all the data out of them.  There are plenty of easy ways to protect against this sort of attack - I think it's unlikely that the instawallet site is vulnerable to something so simple.

Accessing instawallet via Tor has no bearing at all on whether or not it's vulnerable to an SQL injection - if such a hole existed, this would be a vulnerability on the instawallet server; it wouldn't have anything to do with you or any other end user.
Title: Re: Instawallet Security?
Post by: supersecretsquirrel on February 18, 2012, 08:06 am
I use instawallet (www.instawallet.org) to launder bitcoins.

1. Don't store your coins in an instawallet-wallet for too long.
2. Don't store all of your coins in the same wallet.
Title: Re: Instawallet Security?
Post by: ThisOneGuy on February 18, 2012, 03:12 pm
I have wondered the same thing about instawallet.  Since you don't need a password only an url wouldn't it be very possible for a tor exit node to see what url you used and steal your bitcoins?
Title: Re: Instawallet Security?
Post by: QTC on February 18, 2012, 05:49 pm
I have wondered the same thing about instawallet.  Since you don't need a password only an url wouldn't it be very possible for a tor exit node to see what url you used and steal your bitcoins?
ssl encrypts urls
Title: Re: Instawallet Security?
Post by: Heyenezz on February 19, 2012, 02:47 am
Sweet, so long as I split my bitcoins among sufficiently many instawallets for short durations then I should be secure.