You are viewing a single comment's thread from:

RE: Presenting to all my Steemian friends another project of mine: Emanate!

in #emanate7 years ago

For lack of a better place to say this, @prc, https://dsound.audio is making logged-in users follow @dsound WITHOUT their permission.

This happened to me a few minutes ago, and I only noticed because I've known about this issue from here:

https://steemit.com/dlive/@demotruk/wtf-dlive

Where @dlive displayed the same behaviour and apologized later in the comments. I knew this could happen and was already on the look-out.

This is the transaction that https://dsound.audio did WITHOUT my permission.

https://steemblockexplorer.com/tx/32c4368d45a499ff3fefa22986c263356807aa4a

This is not cool.

If you're using third-party tools to build dsound you should check what they actually do.

Cheers.

PT: Não é por mal, e peço desde já desculpa por provavelmente não estar a ir pelos canais correctos. Fui ao https://github.com/dsound e está vazio, e não uso telegram, o que complica um bocado a comunicação. Acho o dsound excelente (apesar de alguns soluços na performance) e só desejo que a plataforma evolua. Se puder ajudar com alguma coisa, apesar de web-dev não ser o meu forte, é só dizer. Abraço.

Sort:  

I agree - not very cool indeed. And it did happen to me with @dlive, but their post was received with welcome from me. Dsound should do the same

Hey Paula, thanks for chiming in on this subject. I've been waiting for the week days to get a response from @prc, he might not be available, I suppose.

By the way, do you know perhaps where can I get some info on this external tool @dlive and possibly @dsound might be using that does this automatically?

I've done a short google search and can't find anything. But I'll keep at it, still.

It's just that this is kind of dangerous actually, from an #infosec point of view. There's been a wave of attacks on external libraries and modules that are not part of the internal code base of various websites. Much like the recent TextHelp attack discovered by Scott Helme(Twitter Link), a reputable security researcher.

Here's the article on TextHelp if you haven't heard of it:

https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/

In this specific case a crypto miner was running in the TextHelp JS library, leading to all the users visiting the thousands of web-sites using the library, mining an estimated $5000 worth of cryptos. This could have been way worse than just mining cryptos, btw.

In our case here at the steem-sphere, an attack like this could be used to hijack or steal some valuable accounts. So, whatever tool/library/module devs of these projects are using, I'd like to have a look at it, and others certainly more capable than me to do so as well.

So, if you have some info on this to point me in the right direction, I'd greatly appreciate it.

Cheers.

Coin Marketplace

STEEM 0.25
TRX 0.20
JST 0.036
BTC 94901.35
ETH 3495.37
USDT 1.00
SBD 3.47