Re: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred
A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch).
There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack.
by the way, just wondering, what are API keys? are they some special feature which allows access to our account, and how do I disable such a feature if it is ON
Just some quick info:
An API (Application Programming Interface) is a key that allows use of features of an application without having to provide a username/password combo, and performing a login. Typically, it's paired with some sort of JSON or XML response, for responses, and for retrieving information. Here's an example. (Disclaimer: Not real info
I'm not sure of the structure of the Inputs.io API)A user with an API key runs a faucet. He uses the Inputs.io API to send his payments automatically, instead of having to do it manually, or having to hack up a solution to emulate a real user. For old time's sake, let's call him Bob.
Bob's application requests the following page to send some Bitcoins.
Code:
https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=100&recipient=13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D
This would authenticate to the API with his API key, and send 100 satoshis to the address 13373CuvtwQGgDWYv28pm3mTxy2bGS5U4D (I'm using my own for this example), or perhaps an Inputs.io user instead, where recipient could be replaced with "caffeinewriter" instead, or something similar.
Now let's say Mallory has somehow acquired Bob's API key. She now can use the Inputs.io API to manipulate Bob's account without ever logging in.
First, she could figure out his balance using the API, assuming there is a method for that.
Code:
https://inputs.io/api/v1/getBalance?apikey=ThisIsHisAPIKey&user=bitcoinbob
This could return a JSON object, for example.
Code:
{
"user": "bitcoinbob",
"balance": 214150000
}
"user": "bitcoinbob",
"balance": 214150000
}
Now Mallory can make another API request to withdraw Bob's entire balance of BTC2.14150000.
Code:
https://inputs.io/api/v1/sendBitcoin?apikey=ThisIsHisAPIKey&amount=214150000&recipient=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
API keys are dangerous
Be safe guys. Hope this helped illustrate how this happened at least a little bit.