Denial of Service Vulnerability Fix

in #steem5 years ago

Vulnerability Fix.png

Hello Steemians, for the last couple of weeks we have been working on a fix to a Denial of Service vulnerability at the same time we are wrapping up our work on MIRA.

The Vulnerability

The vulnerability involved the pending transaction queue. We've been working on, and testing, various solutions since we were informed of the vulnerability by @netuoso about 2 weeks ago. Due to the nature of the attack, we could not publicly disclose our work on this issue and we even limited knowledge of the vulnerability within the organization to minimize risk.

Witnesses & Exchanges

Earlier today we upgraded our nodes and proposed our fix to the Witnesses all of whom have since upgraded. This fix has been tested on a private testnet on which we were able to demonstrate that it successfully mitigates the underlying issue. All nodes including exchanges should be upgraded as soon as possible with this patch. We will be available for technical support for those exchanges that require it.

This vulnerability was brought to our attention by the Steem community developer, @netuoso. This highlights how important Steem’s amazing developer community is to the protocol. Their continued inspection of the chain, and effective communication of their findings, is a critical component of maintaining a safe and secure network. Thanks again to @netuoso for discovering this vulnerability and helping us develop a patch that resolves the vulnerability.

The Steemit Team

Sort:  

Amazing demonstration of how a decentralized system is better than a centralized one. FaceBook outages are becoming a monthly affair.

Posted using Partiko iOS

@steemitblog,
Thank you for sharing this update and personally I was not aware about this problem till I read this post!

@netuoso,
Thank you for highlighting such important issues and really appreciate it!

Cheers~

Hi @steemitblog, thanks for sharing. Are you from the Steemit team? Your profile doesn’t say all that much about you. Looks like you follow just 5 people… @roboza @cgame @thecryptofiend @alkafir and @rmach. Those people must be your core team members? Good to know! Anywho, it might be a good idea to update your profile info so that people know more about who you are and what kind of blog you have. Let’s start with something simple. A profile pic!

If you’d like to add a profile pic, click settings and upload a photo… Wait… the “settings” tab can’t do that. First… you actually need to click the “wallet” tab. OK… then you’ll arrive at steemitwallet.com, it’s another website. Don’t worry though… it will all make sense soon. So you’ve arrived at steemitwallet.com to change your profile picture. OK… you’ll notice that you’re not logged in anymore. You need to log into your account a second time using one of those four passwords. Wait… actually, a login window will pop up and suggest that you use the posting key, but that’s actually not right… it’s the active key that does stuff for the wallet. Right? Not sure. From there, click the wallet settings button to upload an image for your profile. So simple! Now click update at the bottom. Great! It’ll take some time to show up but it does show up eventually. Now you want to back to your profile. To return to your profile page, click the tiny “blog” tab hiding in the corner. OK, now we are back in action! Congratulations @steemitblog, you now have a profile picture.

Thanks! Lol this actually helped me with what I was looking for

Yeah, but you’re probably still logged into your wallet since it hasn’t been auto-signing out when you close your browser.

It’s possible that this has been fixed though. Maybe.

Humrph, so many steps.

Hello, I'm not part of the team. Just a regular Steemian.

¯\_(ツ)_/¯

I'm a Backup witness, but I have not heard of this solution. Where can I get a mention?

Check #witness in steem.chat

Is there another place that you are monitoring for witness related matters?

I'm already involved in it, but I don't think the content was first disclosed there.
I checked the update through the alarm, but Top witnesses were already updated. Do they have a separate channel?

Oh, you’re not part of the special club? Well that’s weird. I thought we were supposed to have decentralization and transparency and stuff. Why would there be secret clubs of selected witnesses by the chain’s “lead dev team” and single largest stakeholder?

Inquiring minds would like to know. Amirite?

:)

Easy (and honest) answer:

Often with security releases it’s important for the top 20 witnesses to be patched prior to the fix being made public in order to ensure uninterrupted service and safety. Even if it were not us (Steemit Inc) proposing a fix, these witnesses should (and do) have an open channel of communication amongst themselves in order to coordinate rolling out these types of patches.

Oh, so it’s just a chat for top-20 witnesses that’s controlled by those witnesses?

The public channel you mentioned means "https://steem.chat/channel/witness", but I think there are other special channels. Because some of the witnesses had already been updated to version 20.10 before the updates were released and mentioned on the channel.

As you mentioned, you need a public channel for quick sharing. Is there a condition for accessing channels for special members?

For high risk scenarios like this a private channel for the top 20 witnesses, plus those witnesses close to the top 20, is required for security reasons. Such a channel exists and the only requirement for entry is one's position in the witness rankings. If a witness is in the top 20 they are in that slack. If there is a chance they may enter the top 20 (e.g. if they are close) they should be in that slack and if they are not, they should contact me at [email protected].

It's a long way to top, but thank you for the information. I'll contact you if it gets closer.

I don't belong unfortunately............

Every witness has an opportunity, with Steem's vote-enabled democracy, to rise the ranks to become number one. I would say secondary witnesses are just as important as primary witnesses, in my experience at least. They often build dapps, on-board users, and bring code into the FOSS ecosystem. I appreciate all witnesses and humans in general that contribute their valuable time and effort to push forward blockchain technology.

sounds like there is a low level of trust within the organization... hopefully that improves..

Great job @neutoso and to the Steemit team for fixing it!

What exactly does Ned and the rest of steemit,inc do all day? Is steemit.inc and steemit just a hobby for you guys? What does the new steemit director do? Why does everything move at a snail's pace? Serious question.

This I feel ones more underlines the need for a bounty system for vulnerabilities. Kudus for @netuoso for identifying this bug while forgoing on what currently seems the only, rather meagre insentive of posting about the bug with appropriate @utopian-io tags.

Hey, @steemitblog.

Thanks for the update. I appreciate the idea of keeping the potential vulnerability of a denial of service attack secret except for a select few, and that now that you have the patch employed, you've let us know about it. I am trying to follow these updates as frequently as they come out, and hope that others will too. So keep them coming. :)

I believe it was on the last blog talking about the splitting of condenser and the wallet that someone else and myself brought up some quirks in the steemitwallet. It does not stay logged in, even though the box to do is checked. In order to claim rewards, the page needs to be refreshed (which is the same), but then requires a new login every time. Is this going to be the case going forward, or is there a fix forthcoming? Or is it perhaps something I'm doing or not doing on my end. Since I've never had trouble before the separation being able to login once and stay that way for periods of time, I'm still wondering what's up.

Thanks for any attention anyone can give in this matter. :)

I believe this will be fixed, but it is much easier to discuss and address UX issues like this if a PR is submitted and shared. Then I can say whether the PR will be approved or not. Also it may well be the case that a PR has already been submitted, in which case we can skip the discussion and move straight to the meat, "Will this get merged." The goal is to fix all UX issues so that it is a seamless experience, so any poor UX should be resolved.

Hey, @andrarchy

I think I'm looking at the PR list on steemit/steem's github now. I don't see anything. The most recent thing has to do with the Steem Proposal System (worker proposals via blocktrades), and some median feed update from 29 days ago.

Can anyone submit a pull request? I wouldn't know where to begin. I'm sure there's more technical terms for "stay logged in check box when checked doesn't stay logged in." :) I'm willing to learn, though, I'd just need to be pointed in the direction of some tutorials or something.

Are you using your active key to sign in to steemitwallet.com? The active key is not cached because that would put them at risk re: hacking. If you are using your posting key to sign into steemitwallet, this should not be happening. Also if you sign in with your master password this should not be happening because that is used to derive your posting key which would then be cached.

So if you're using your active key then this is the desired behavior, but if not, let me know as that would be a bug.

hey, @andrarchy.

I guess I was using the Active key, which is odd, since I thought I'd changed it to the posting key. However, I just did make the change, and it seems to be doing what I would like it to do, so thanks for the IT help. :)

Coin Marketplace

STEEM 0.29
TRX 0.12
JST 0.036
BTC 65930.92
ETH 3387.67
USDT 1.00
SBD 4.75