Author Topic: STEEM hack discussion  (Read 11272 times)

0 Members and 1 Guest are viewing this topic.

chryspano

  • Guest
You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you please post the list of the compromised accounts here since not everyone can read github?
thanks


I don't know if this list includes the recent ones
just scroll down a bit...
https://github.com/steemit/steem/commit/98e2ac39e70c4c3d95674b964fe2d3d5dcbaedf6#diff-ba3ead933873eada66a3e95c99516c7fR269


Offline mf-tzo

  • Hero Member
  • *****
  • Posts: 1725
    • View Profile
You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you please post the list of the compromised accounts here since not everyone can read github?
thanks

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Also, does someone know the EXACT nature of the attack?

Preferably with code to study?

I was out a day, could not find anything anywhere .. very likely I missed it.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go?  :-\

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   ???

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.
And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

Without more information, this seems like security theatre - if both accounts will be accessed through a browser, both vulnerable to the same style of attack ..

Offline BunkerChainLabs-DataSecurityNode

Hardfork coming in tomorrow that introduces a new 'account recovery' feature:

https://github.com/steemit/steem/releases/tag/v0.11.0

Details written by bytemaster about it here: https://github.com/steemit/steem/issues/169
+-+-+-+-+-+-+-+-+-+-+
www.Peerplays.com | Decentralized Gaming Built with Graphene - Now with BookiePro and Sweeps!
+-+-+-+-+-+-+-+-+-+-+

Offline milkme

  • Newbie
  • *
  • Posts: 2
    • View Profile
You can find it on Github. The actual compromised users seem to be 150 not 260.

Can you give me link

Offline nmywn

  • Sr. Member
  • ****
  • Posts: 266
    • View Profile
The openledger web wallet is less vulnerable, because BitShares doesn't have to display lots of user generated content.

The principal risk remains, however. If someone manages to sneak some JavaScript code into the site, then your keys will be compromised.

Hm, now that I think about it - the memo is user generated... @svk please confirm that the memo field is properly escaped.
Also trollbox and UIA's descriptions

Offline okidoki

  • Full Member
  • ***
  • Posts: 64
    • View Profile
You can find it on Github. The actual compromised users seem to be 150 not 260.

Offline milkme

  • Newbie
  • *
  • Posts: 2
    • View Profile
My account is not on the list of hacked accounts but it is and is blocked. I didn't received answer from the team, even not automatic reply.

Where did u found list of hacked accounts?

Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile
Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go?  :-\

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   ???

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.
And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

OL does not host any wallets. Nothing stops you to set up multisig account right now.

Offline dritz3r

  • Full Member
  • ***
  • Posts: 67
    • View Profile
My account is not on the list of hacked accounts but it is and is blocked. I didn't received answer from the team, even not automatic reply.

Offline Shentist

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 1601
    • View Profile
    • metaexchange
  • BitShares: shentist
Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go?  :-\

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   ???

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.
And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk

what i mean is, if you create an account you are creating 2 accounts at the same time on 2 machines. Like your desktop computer and on the smartphone an account just for 2FA without any other information, just for confirmation an transaction. You are creating 50/50 accounts and you are the sole owner of both accounts.

a simpler way would be google 2FA but it was said it would be not possible because of the decentraliced network. This point i do not get, because on the webwallet the wallet is already hosted on a website so it should be not a problem.

Offline pc

  • Hero Member
  • *****
  • Posts: 1530
    • View Profile
    • Bitcoin - Perspektive oder Risiko?
  • BitShares: cyrano
would be good to get some information about our web wallets. Sop @svk how is the situation is bitshares save?

The openledger web wallet is less vulnerable, because BitShares doesn't have to display lots of user generated content.

The principal risk remains, however. If someone manages to sneak some JavaScript code into the site, then your keys will be compromised.

Hm, now that I think about it - the memo is user generated... @svk please confirm that the memo field is properly escaped.
Bitcoin - Perspektive oder Risiko? ISBN 978-3-8442-6568-2 http://bitcoin.quisquis.de

Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile
Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go?  :-\

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   ???

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.
And who is going to do this confirmation?

Sent from my SM-P900 using Tapatalk


Offline Shentist

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 1601
    • View Profile
    • metaexchange
  • BitShares: shentist
Their centralized wallet got hacked after all this advertisement of advantages of decentralized blockchain. LMAO!

Yea I'm pretty shocked about that. I wouldn't have thought something like this was even possible.

Of course I never got around to changing my keys over the past couple days. Easy come easy go?  :-\

Also makes me wonder if our openledger wallets are exposed to the same risk...?

And wtf wasn't 2FA authentication set up by now? That would have probably saved a lot of headache.   ???

2FA is not so simple in blockchain.. it also creates a barrier to onboarding.. eg. you don't have 2FA in facebook.

on facebook i do not hold money! 2FA could work if you setup every account as a multi account end the second one is just for 2FA confirmation on your smartphone.