Button generating code altering addresses

2

I was playing with the website:

http://embedbitcoin.com/

to generate a payment button for my website. It asks for your bitcoin address, but when you click "Send Bitcoin" from the generated button, the address it outputs for the user is different than the one originally input.

That seems fishy, and I don't currently have any BTC to test that it is what it says it is.

If each address is unique, it is my understanding that it can't be linked to a single account, and therefore no other addresses could be generated from it, and this seems like a scam to send money to someone else's account.

Is this understanding correct? Is this a scam?

Brian Dean

Posted 2015-04-12T19:44:48.443

Reputation: 21

Answers

1

Looks like scam yeah. It looks like they are asking for one normal bitcoin address, so any address they generate will NOT be yours.

However it would be possible to do such a thing if they would ask for the xpub seed of your HD wallet. Even then though it wouldn't make sense to trust a service like that.

Stay away!

Jannes

Posted 2015-04-12T19:44:48.443

Reputation: 6 046

0

It looks like this just re-uses Blockchain.info's donation creation system, and tacks on a piece of javascript that doesn't do anything.

You could just use that instead. Blockchain.info is a pretty reputable company.

https://blockchain.info/create_donation_button?address=1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a

(Remember to change the address I put in.)

Nick ODell

Posted 2015-04-12T19:44:48.443

Reputation: 27 521

1Thanks, I tried this button and input my address where it stated, but then, same thing as the other site: when I click the button, it outputs a different address, and each time I reload the page and click again, different address. So that hints that the original website I mentioned is not a scam in fact, but I still don't know how it's generating new addresses from one I input. Both of them do this, so, strange. Or at least I'm not understanding. – Brian Dean – 2015-04-12T23:12:56.860

1In fact the button on the page you linked demonstrates this: the "data-address" in the code is: 1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a But clicking on the example button up top outputs any number of codes different than this code. I thought one needed a private key in order to generate other addresses? How are these other, generated addresses linked up to the actual address? – Brian Dean – 2015-04-12T23:22:23.217

1@BrianDean These addresses aren't generated from your address. Rather, Blockchain creates the address with their own key, and forwards the payments to you. This has the problem that Blockchain could stop doing this at any time. The site you posted, embedbitcoin, has all of these problems, plus the fact that embedbitcoin could also steal from you. – Nick ODell – 2015-04-13T03:00:38.240

Interesting. Do you know how long it takes them to forward payments, and/or if they extract an additional fee? I tried sending myself a sample payment with their donation button, which now has 10 confirmations, but nothing has been forwarded to the address I gave. I couldn't find any further information about this feature on the blockchain.info website. – Nate Eldredge – 2015-04-13T04:18:30.940

@NateEldredge It's supposed to be within a couple seconds. TXID? – Nick ODell – 2015-04-13T05:34:45.807

ID is f4bd03bd3d6f3def2ab5be1add62bbc6b0a4b06ce695f9bd4d77a1b9eae7226d. Maybe the amount was too small (BTC 0.0005)? – Nate Eldredge – 2015-04-13T05:46:45.057

Huh, after 9 hours that transaction was spent - to the very same 1933phfh address you used. Maybe I mixed up my browser tabs and was looking at your button instead of mine - but I'm fairly sure I didn't. Otherwise, what gives? Still nothing received by my intended destination address. – Nate Eldredge – 2015-04-13T15:40:08.633