STEEM hack discussion

[xeroc]

Pretty sure this is just due to the fluctuations in the 7 day average value of STEEM. When price is down a bit, you'll see the rewards slowly decrease, also.

Exactly .. If the market cap of Steem goes down, it simply can't effort to pay a high payout .. If market cap goes up .. it can ..
This mechanism helps to make an insolvency unlikely ... otherwise you would pay out SteemDollars that you couldn't back by actual value ..

[nomoreheroes7]

Why is it that when I refresh a post that has the same votes, the value of the rewards keeps increasing? Assume there's a post that has $1000 in rewards and 100 upvotes. Then I refresh, it still has the same 100 upvotes but then the rewards are $1001, then I do the same and it's $1002. Is it normal?

Pretty sure this is just due to the fluctuations in the 7 day average value of STEEM. When price is down a bit, you'll see the rewards slowly decrease, also.

[Akado]

Why is it that when I refresh a post that has the same votes, the value of the rewards keeps increasing? Assume there's a post that has $1000 in rewards and 100 upvotes. Then I refresh, it still has the same 100 upvotes but then the rewards are $1001, then I do the same and it's $1002. Is it normal?

[Frodo]

Everything worked out for me. Huge thanks to the Steemit support team. Great way to handle a situation like this.

[BobDownlove]

Yes I tried this first thing this morning  and last step of recovery failed. I am in contact now and we're working on it. I surely don't envy these support guys, imagine their workload this week

[Frodo]

Yeah that only works if your recovery agent isn't steem, in which case,  mine is. Good link tho I got real excited when I first saw it...

Sent from my SM-G920I using Tapatalk

I'm in the same boat right now, but I'm optimistic that steem support will eventually get to us. They probably have A LOT of requests to handle currently.

EDIT: There is also a new update: https://steemit.com/steemit/@steemit3/third-update-to-july-14th-security-announcement-account-recovery-begins

[BobDownlove]

Yeah that only works if your recovery agent isn't steem, in which case,  mine is. Good link tho I got real excited when I first saw it...

Sent from my SM-G920I using Tapatalk

[pc]

https://steemit.com/steem/@bitcube/recovering-your-hacked-account-with-a-local-ms-windows-steem-wallet

[BobDownlove]

So where do we go if our account was compromised and we've had our funds taken and been locked out? Loving the whole "enjoy the darkness" method of support this has...

Sent from my SM-G920I using Tapatalk

[pc]

Great, thanks!

[svk]

would be good to get some information about our web wallets. Sop @svk how is the situation is bitshares save?

The openledger web wallet is less vulnerable, because BitShares doesn't have to display lots of user generated content.

The principal risk remains, however. If someone manages to sneak some JavaScript code into the site, then your keys will be compromised.

Hm, now that I think about it - the memo is user generated... @svk please confirm that the memo field is properly escaped.

There's no escaping being done but it's just rendered as a simple string of text, not interpreted as html in any way. That's why I don't parse links either in memos or in the trollbox, so if you're gonna click a malicious link at least you have to copy paste it yourself..

[BunkerChainLabs-DataSecurityNode]

Here's my take on the hack, and possible solutions for the future:

https://steemit.com/steem/@karnal/hackmoar-hindering-attackers-coming-and-kidnapping-my-outrageously-armored-resources

So, is it possible that our bitshares private keys are shipped away by XSS program?

It's not likely because  OL hosted wallet is not designed for user input the same way Steemit is. Though I would imagine after seeing this @svk is checking to make sure the same thing can't happen.

[yvv]

Here's my take on the hack, and possible solutions for the future:

https://steemit.com/steem/@karnal/hackmoar-hindering-attackers-coming-and-kidnapping-my-outrageously-armored-resources

So, is it possible that our bitshares private keys are shipped away by XSS program?

[abit]

Also, does someone know the EXACT nature of the attack?

Preferably with code to study?

I was out a day, could not find anything anywhere .. very likely I missed it.

Please check posting history of account "goodgame" on Steem.

You can find it on Github. The actual compromised users seem to be 150 not 260.

Lately the team decided to not include some "small" accounts into the list.

My account is not on the list of hacked accounts but it is and is blocked. I didn't received answer from the team, even not automatic reply.

You can contact @fav

[karnal]

Here's my take on the hack, and possible solutions for the future:

https://steemit.com/steem/@karnal/hackmoar-hindering-attackers-coming-and-kidnapping-my-outrageously-armored-resources

[chryspano]

You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you please post the list of the compromised accounts here since not everyone can read github?
thanks

I don't know if this list includes the recent ones
just scroll down a bit...
https://github.com/steemit/steem/commit/98e2ac39e70c4c3d95674b964fe2d3d5dcbaedf6#diff-ba3ead933873eada66a3e95c99516c7fR269

[mf-tzo]

You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you please post the list of the compromised accounts here since not everyone can read github?
thanks

[karnal]

Also, does someone know the EXACT nature of the attack?

Preferably with code to study?

I was out a day, could not find anything anywhere .. very likely I missed it.

[karnal]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.

And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

Without more information, this seems like security theatre - if both accounts will be accessed through a browser, both vulnerable to the same style of attack ..

[BunkerChainLabs-DataSecurityNode]

Hardfork coming in tomorrow that introduces a new 'account recovery' feature:

https://github.com/steemit/steem/releases/tag/v0.11.0

Details written by bytemaster about it here: https://github.com/steemit/steem/issues/169

[milkme]

You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you give me link

[nmywn]

The openledger web wallet is less vulnerable, because BitShares doesn't have to display lots of user generated content.

The principal risk remains, however. If someone manages to sneak some JavaScript code into the site, then your keys will be compromised.

Hm, now that I think about it - the memo is user generated... @svk please confirm that the memo field is properly escaped.

Also trollbox and UIA's descriptions

[okidoki]

You can find it on Github. The actual compromised users seem to be 150 not 260.

[milkme]

My account is not on the list of hacked accounts but it is and is blocked. I didn't received answer from the team, even not automatic reply.

Where did u found list of hacked accounts?

[yvv]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.

And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

OL does not host any wallets. Nothing stops you to set up multisig account right now.

[dritz3r]

My account is not on the list of hacked accounts but it is and is blocked. I didn't received answer from the team, even not automatic reply.

[Shentist]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.

And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

[pc]

would be good to get some information about our web wallets. Sop @svk how is the situation is bitshares save?

The openledger web wallet is less vulnerable, because BitShares doesn't have to display lots of user generated content.

The principal risk remains, however. If someone manages to sneak some JavaScript code into the site, then your keys will be compromised.

Hm, now that I think about it - the memo is user generated... @svk please confirm that the memo field is properly escaped.

[yvv]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.

And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

[Shentist]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.

[BunkerChainLabs-DataSecurityNode]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

I've used it because I like the concept but I've also wondered about this. why is that? because they're still not using IPFS?

IPFS wouldn't have prevented the attack as it was an XSS attack. IPFS is just a storage medium. It was a coding vulnerability in posting that allowed for this to happen.

This is unique to steem so OL is not exposed the same way.

[BunkerChainLabs-DataSecurityNode]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

[Shentist]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

I've used it because I like the concept but I've also wondered about this. why is that? because they're still not using IPFS?

would be good to get some information about our web wallets. Sop @svk how is the situation is bitshares save?

[Akado]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

I've used it because I like the concept but I've also wondered about this. why is that? because they're still not using IPFS?

[nomoreheroes7]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go? 

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   

[yvv]

Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

[nomoreheroes7]

So it looks like the STEEM hack might be worse than thought. The site has been read-only all morning and has been completely down for the last hour. Last I read regarding the hack was from @ash about 8 hours ago saying that the attacker is continuing to milk accounts.

Since Steemit is obviously down right now, I figured I'd bring the discussion over here. Anyone have a clue what the hell's going on?