Silk Road forums
Discussion => Security => Topic started by: Heyenezz on February 18, 2012, 07:06 am
-
I use instawallet (www.instawallet.org) to launder bitcoins.
How secure would my bitcoins be against theft? Bitcoin addresses are in the public block chain, but I don't see how someone could tell which ones where instawallet addresses. Even then, they couldn't necessarily access them because you need the unique URL to do that.
Am I missing something here?
Thanks for any help!
-
Assuming there's no weakness in the instawallet code that would allow someone to do an SQL injection and get the list of wallet URLs, I think your bitcoins are probably fairly secure. Just having a BTC address wouldn't be enough to get the URL, and aside from the instawallet "green address", there's nothing about a particular BTC address that would indicate anything about it belonging to instawallet.
IMHO, the greatest risk to your BTC at instawallet is your own memory or lack of care in keeping track of your wallet URL.
-
Assuming there's no weakness in the instawallet code that would allow someone to do an SQL injection and get the list of wallet URLs, I think your bitcoins are probably fairly secure. Just having a BTC address wouldn't be enough to get the URL, and aside from the instawallet "green address", there's nothing about a particular BTC address that would indicate anything about it belonging to instawallet.
IMHO, the greatest risk to your BTC at instawallet is your own memory or lack of care in keeping track of your wallet URL.
I've read that phrase "SQL injection." What is it? I access instawallet using Tor if that makes any difference.
I book mark all my instawallet pages.
-
An SQL injection is an attack against a web server (usually) whereby the attacker is able to circumvent any sort of input-sanitizing code (or maybe there is no input-sanitizing code) and get some arbitrary queries to run against the database. For example, suppose a website has a form on it that asks for a username and then passes that data directly to a database query without doing any kind of input checking.
$username = read_from_form;
run_query("SELECT foo FROM users WHERE username = $username ");
...
The would-be attacker might enter something like :
'baz' OR 1=1; DROP table users;
And the script might actually delete the users table - because it didn't properly handle the user input and it sees two valid SQL queries and tries to execute them both. Or, instead of dropping the user table, you might try to select all the data from the user table, or see what other tables are available and pull all the data out of them. There are plenty of easy ways to protect against this sort of attack - I think it's unlikely that the instawallet site is vulnerable to something so simple.
Accessing instawallet via Tor has no bearing at all on whether or not it's vulnerable to an SQL injection - if such a hole existed, this would be a vulnerability on the instawallet server; it wouldn't have anything to do with you or any other end user.
-
I use instawallet (www.instawallet.org) to launder bitcoins.
1. Don't store your coins in an instawallet-wallet for too long.
2. Don't store all of your coins in the same wallet.
-
I have wondered the same thing about instawallet. Since you don't need a password only an url wouldn't it be very possible for a tor exit node to see what url you used and steal your bitcoins?
-
I have wondered the same thing about instawallet. Since you don't need a password only an url wouldn't it be very possible for a tor exit node to see what url you used and steal your bitcoins?
ssl encrypts urls
-
Sweet, so long as I split my bitcoins among sufficiently many instawallets for short durations then I should be secure.