[Steemmonsters] Your monsters card will be hacked.

in #dclick6 years ago (edited)

hello, I'm @ayogom.
I'm sorry. I've used an exciting title. No one has ever been hacked yet, but I think it's very likely.

Do you know how Steemmonsters are operated?

The Steemmonsters use "custom json" to conduct all activities such as battles and card transactions.
The permissions of "custom json" can be controlled by the posting key. That's why the Steemmonsters can only login with a posting key.

Why is the use of "custom json" dangerous?

Many sites using steemconnect require "custom json".
I used 10 steemconnect as below.


tripsteem - Custom Json (O)
tasteem - Custom Json (O)
steempeak - Custom Json (O)
steemhunt - Custom Json (O)
steemgazua - Custom Json (X)
steemplus - Custom Json (O)
PeakMonsters - Custom Json (O)
Artisteem - Custom Json (O)
dclick - Custom Json (O)
busy - Custom Json (O)

Nine of the sites that I delegated authority have asked me for "Custom Json"

The steemconnect is safe. But accidents can happen.
Do you happen to remember the hacking incident in Utopia?
Utopian.io Hack - May 3rd - May 4th 2018. No Wallets Or Keys Compromised.

In this case, we were only affected by the right to vote.
However, if you are a Steemmonsters user, it does not affect voting only. You can steal your card using "Custom Json".

Unlike Steem's wallet, the SteemMonster's card wallet is managed using "Custom Json", so even if you manage your posting keys well, you can lose with the token loss of the steemconnect. This is just a possibility, but I think I can never ignore it.

Solution

I recommend creating a new account for only Steemmonsters. And do not connect the steemconnect.
If you only use the posting key, you only need to manage your posting key.
However, if you connect the steemconnect, you should consider hacking your site as well as your own mistakes. It means that there are many ways to be stolen.
Every decision is my own. And responsible for my actions. Then look forward to your luck.

How to Disconnect the steemconnect.

  1. https://steemconnect.com/apps/authorized
  2. click to Revoke

I love steemmonsters and steemconnect 👍😎.


Sponsored ( Powered by dclick )
심해생물 보틀캡 (The Deep Sea Odyssey)

The Deep Sea Odyssey 심해생물 안녕하세요. 키위파이입니다. 오늘은 간만에 보틀...

logo

이 글은 스팀 기반 광고 플랫폼
dclick 에 의해 작성 되었습니다.

Sort:  

Question: So, once all OAuth Tokens are revoked, that removes the json hack threat?

If using a separate account for steemmonster, connect via the keychain instead of steemconnect would be recommended?

It's an honor to have your questions. You led me to Steemit.

I think that the problem caused by the hacking of the Dapp using steemconnect is solved because the delegated authority is discarded. (Like utopia).
I'm not sure about keychain yet (I have not check the code yet) and the keychain has just been released. I don't think any security risks have yet been proven. therefore I think the safest way is to log in with the posting key.

Please refer to the conclusion of the post below.
Hate putting private keys into websites? Introducing Steem Keychain!

You recommended that we use a separate Steemit account to hold the Steemmonsters cards but not login via steemconnect.

If I have removed all OAuth from SteemConnect, no need to use separate account?

Thx

blockchainstudio님이 ayogom님을 멘션하셨습니당. 아래 링크를 누르시면 연결되용~ ^^
blockchainstudio님의 곰돌이 스파임대 회수를 부탁드립니다.

...mdory 곰돌이에 많은 스파를 감사히 임대해주신 bramd, mooring, armdown, glory7, ayogom jayplayco, eversloth, kibumh, pediatrics, englishstudy, slow...

Good advice, keeping the cards on a special accounts that doesn't use SteemConnect is probably for the best. Later, we can even delegate to our main accounts without compromising the cards.

I would use KeyChain but I refuse to use Google Chrome. Brave Browser for the win.

That's right. I think it's a good idea to have a warehouse account that holds cards.

Yeah steempeak and peakmonsters use keychain ... and soon steempeak and other apps.

Also there could be a solution to require active key to transfer some more valuable cards. Maybe for gold foils. Just a random idea.

But yes if you have a hugely valuable deck you may want to be very very very careful who you give json access to when connecting in steemconnect.

When SMT is released, I think maybe there is a separate activation key.

bobinson님이 ayogom님을 멘션하셨습니당. 아래 링크를 누르시면 연결되용~ ^^
bobinson님의 Community TESTNET update 19th October 2018

...e (yuriks2000, bobinson, yehey, reggaemuffin, gtg, holger80, ayogom quochuy & many more). We are loosely connected via a discord...

Keychain just launched; which is another option. Good idea about removing steemconnect authorisation from steemmonsters once keychain is up and running.

I agree with you, but I still think we should watch the key chain.
(Because I'm a little conservative ...)

I love that while you managed to raise awareness of a security flaw, you've also provided some solution.

Constructive post at its best

Posted using Partiko Android

Thank you, we always have to care about security. There are a lot of hacking accidents especially in the Cryptocurrency.

제 블로그에 종종 방문 해 주셔서 https://steemauto.com 통해 얼마 안되지만 일일 자동 풀보팅 설정합니다. (처음 해보는 거라 잘 되는지 확인 해 볼께요) 제가 방문을 못 드려도 보팅은 잊지 않을께요. 좋은 하루 보내세요~~

아이고 ㅠ 감사합니다. 저도 자주 찾아 봽겠습니다 ㅠ

You are completely right. Have to consider making new account for play :S

That's right!!

Recently I have been hearing a lot of your stories to my friends.
You have a faster trading ability than anyone :) and very friendly guy!

@ayogomさん、分かりやすく説明してくれてありがとうございます。(^^)

助けになってよかったです。 実は私英語が難しいため、"理解しないとどうしよう"と悩みもしました (笑)

Coin Marketplace

STEEM 0.17
TRX 0.16
JST 0.028
BTC 74877.97
ETH 2797.38
USDT 1.00
SBD 2.54