Quote:
Originally Posted by TomCollins
Even in that case, Coinbase controls the Bitcoins. And you just hope they don't screw you.
I know I am probably one of the more security paranoid people on here, I've been using TrueCrypt to encrypt important files before any Bitcoin considerations and I keep a fairly tight ship, but man, I do NOT understand why anyone trusts the online wallets. They get hacked or stolen by employees at a CRAZY rate. If anyone is familiar with MPEX, they actually use "The only Bitcoin service that has never been hacked" as their tagline, it's the first thing on their site!
Just in the last day or two, Bitcoin-Central and
Instawallet have gone down to security breaches (I believe they're owned by the same people). I haven't looked into it for more than 15 minutes, but from what I gather, the problem with Instawallet was probably one of the more insane things I have ever heard:
Instawallet's authentication setup was such that apparently everyone had a unique URL, and all they had to do to use their account was to go to that URL. No username, no password. This is INSANE, it is completely bananas, it would be chapter 1 in a book called "How not to run a secure web app". It would be chapter 1 in "Examples of things that if you even THINK about doing them in a web app dealing with finance, you are literally mentally ******ed".
I honestly want to write like 4 paragraphs about HOW INSANE this is. I've programmed and deployed web apps for over 10 years and even literally the very first script I wrote, in the dark ages, I knew not to do this.
So what happened was, Google Chrome watches what URLs you enter, and sends them to Google, who indexes them. So a ton of people used Chrome to access their Instawallets, and other people could literally search "site:instawallet.org" on google and it would show a list of links, you would click one and instantly have control of someone's wallet. BANANAS.
Some idiots got mad at Google, which is nuts. Even if Google didn't exist, there are so many other ways that so many people can see what urls are being requested across the web. So crazy.