Automated votes abuse on SteemConnect?

in steemconnect •  last month

Today at 13:00 UTC what looked like a massive automated vote occurred on Steem. The SteemConnect API received a lot of requests to upvote and downvote the following posts without user approval:

We can see from the SteemConnect logs that a malicious actor used Utopian privileges to broadcast votes for users. If you have delegated posting authority to the @utopian.app you may want check your posting/voting history to see if your account has been affected. If that is the case, then we recommend that you undo your votes.

To check your history, go https://steemd.com/@fabien (change @fabien with your username)

We’ve disabled the app @utopian.app and revoked all the access tokens on SteemConnect while this issue is being resolved. Utopian team helped us to identify early the abuse and the SteemConnect server logs clearly show that the requests were not from Utopian servers IPs but from an external actor.

What happened?

Utopian asks for “offline access” when using SteemConnect, this gives the Utopian app the ability to issue an access token for its users anytime with what we call “refresh token”. It’s a common use in the OAuth 2 standard. It seems that someone got access to Utopian’s database with stored refresh tokens. These refresh tokens were used to generate new access tokens and broadcast votes for these accounts. If your account has been affected you most likely were giving offline access to Utopian.

Has SteemConnect been hacked?

No. Someone malicious sent requests to the SteemConnect API using Utopian’s refresh tokens but does not have direct access to the SteemConnect server.

My account upvoted some posts without my approval, my keys are safe?

Neither SteemConnect nor Utopian have access to any of your keys. SteemConnect API is using posting authority delegation to broadcast posting operations for you. The operations are signed by the @steemconnect account but not using your own keys. You are not giving SteemConnect your keys but only the permission to use your account.

We are still investigating this issue and will give you another update when we have.

Edit: You can read Utopian related post here: https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
·

Thanks you master @elear👍👍

·

Nice usage of utopian.tip ...

·
·

Was just a way to get it to the top @jefpatat. Do u really think I am interested in few SBDs?

·
·
·

Second highest comment is heimin's 1.26.

·
·
·

Did I say that?

Neither SteemConnect nor Utopian have access to any of your keys.

But they have access to the account to which you delegated your full posting authority (via the ability to create 'tokens' that can upvote/post for you), so it's exactly the same as them having your posting key. Hence what happened today.

·

It's more safe for an app to handle tokens than handle your private key. Tokens expire after 7 days or when user revoke it and give only a scoped permission to do some operation. A token may allow only 'vote' for example.

·
·

Apps (server side) don't need to handle keys or tokens at all. Everything can be done client side like it's done on dtube and steemit. It works really well this way. Nobody ever gets your key, you don't need to delegate any authority to anyone.

You actually introduce security holes that didn't exist before SteemConnect, so calling it more secure it a total joke.

Only good point for SteemConnect is that it makes it easy for noob developers to start creating something on steem, without having to code a proper key storage and verification system for their apps.

·
·
·

There is 2 differents ways. Both have advantages and downsides.

Everything can be done client side like it's done on dtube and steemit

Not everything, for example you canot do scheduled post on client side.

You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.

You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.

Nobody ever gets your key, you don't need to delegate any authority to anyone.

The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an access_token which expire after 7 days or get manually revoked but users keys are not exposed.

·
·
·
·

Thank you for information @fabien

·
·
·

First you say client side do not need key handling, then you say they should code a proper key storage ...
Isn't it contradictory ?

·
·
·
·

I didn't say we shouldn't handle key client-side, that's the opposite of what I think. I said that apps don't need their users key to do their server-side stuff. All transactions should happen client-side, in the browser, on the actual user pc. So yes, UIs need a proper way to store keys and verify them on the blockchain. That's what DTube and SteemIt does. That's hard so that's why so many app developers use SteemConnect because it abstracts all that away.

·
·
·
·
·

It really depends on a purpose of the app. For an interface like Steemit or DTube there is no need to store keys on the server side nor access tokens. But there are certain types of apps that need that, and as far as I know, it is way more secure to store OAuth2 tokens than private keys.

·
·
·

May you always succeed in helping others

·
·

I'm glad you guys clarify what really happened and why SteemConnect is still to be trusted. I'm not seeing that from Utopian. They seem to focus more on damage control and blaming the hacker. In the end it was their security which proved insufficient. I don't want to play blame games, but when security is involved straightforward honesty is what works best. It's a pity SteemConnect has been blamed incorrectly.

·
·
·

I believe I may be the cause for believing we claim SC2 was to blame. While we did encounter an issue with not being able to revoke the tokens, we shouldn't have leaked them in the first place. Steem Connect was not, in any way, to blame for this leak.

This was my stance alone and did not represent Utopian-io as a company. I apologize for causing misinformation.

·
·
·
·

No, not at all. I was already getting information from other sources. You see, this is just what happens when people go in panic mode. The incomplete news spread too fas and became FUD. Crisis communication is an art in itself, we can't expect that to come from a bunch of enthusiasts. It's a pity this communication has to be made. If everything went perfect it wouldn't have been necessary.

I repeat: "I don't want to play blame games" ;-)

·
·
·

@jefpatat SteemConnect was never blamed. Totally the opposite. You have evidences in Discord and in this post https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised.

·
·
·
·

@elear Maybe I worded my comment incorrectly. Please not I explicitely mentioned 'I don't want to play blame games'. You know I value you and Utopian. I was there to help at the very start, remember? Before the official announcement came there was a lot of FUD going around, both on Discord and in steem blog posts. It was not clear if the issue was with one of the apps that use SteemConnect or if the issue was with SteemConnect itself. All over the place it was advised to revoke all tokens, not only for Utopian. So, I didn't imply to say SteemConnect was directly blamed by you guys but it got a lot of negative publicity. That's most probably the very reason for this post. In the meantime your post has been updated to refer to this post.

SteemConnect is something very important to the ecosystem and there was no (big) issue with it. At the time of writing I missed some emphasis on this. But then again, you are correct you shouldn't emphasize on negative publicity for SteemConnect if you didn't initiate it yourself.

·
·
·
·
·

I would never harm SteemConnect or Busy even by mistake. They have been a great help for us. There was uncertainty and people made guesses. I made sure the post removed any chance for users to guess the problem was SC.

·
·
·

May you always succeed in helping others

The save button on the https://v2.steemconnect.com/apps/@steemhost.app/edit
page does not work. Is there a tech support for steemconnect?

Thanks you master @busy.org

This awareness spreading post is really appreciable because it will help to the Steemians to stay vigilant and to keep more analytical vision towards the process because everyone's contribution is really important to keep the platform user friendly. Keep doing the great work. 🙂

·

May you always succeed in helping others

We should maintain the clean atmosphere of this community

Nice information Regarding hack

@busy.org we are not satisfied with your explain...what arent you telling us...some of us are in panic and want to feel at least relieve...

·

What isn't clear enough about what they said here up ?
Isn't it cristal clear ?
Panic about what exactly ? Wallets are safe !

Esteemed, thanks for the heads up.

Good information for us

Thank you for information. I resteemed this post.

·

May you always succeed in helping others

·
·

Thank you.

·
·
·

Same repetitive comment of fsl

·
·
·
·

I am writing various comments.

·
·
·
·
·

Not you but @fsl

·
·
·
·
·
·

I see.

Thank you master, I just use busy.org. I just believe busy.

When coins got hacked they lose millions $
But on Steem you lose votes. ;)

Loading...

Congratulations @busy.org! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last announcement from @steemitboard!

Do you like SteemitBoard's project? Vote for its witness and get one more award!

Thanks you master @busy.org

Thank you for contributing to the platform and thanks for encouraging me who are those minnows to go ahead on the platform , thanks again and wish the platform will be better and better .

Oh, it's so sad that the attackers are able to do this. I am amazed at their great mental abilities. If such strong minds are put on the right track, who knows how far progress would have stepped. It is a pity that the scammers spend their potential for criminal and dishonest fraud.

·

That's what scammer are and it's what they do. I pity the victims more.

why you don't upvote my blog until last month....??

·

Please Stop - @jackjami

You just said "vote my" and in your your last 100 comments you used 36 phrases considered to be spam and you made this exact same comment 1 times. You've received 0 flags and you may see more on comments like these. These comments are the reason why your Steem Sincerity API classification scores are Spam: 55.40% and Bot: 2.60%

Please stop making comments like this and read the ways to avoid @pleasestop and earn the support of the community.

·
·

thanks for your good information..

this is so great. you got the great point here

thank you so much for this update , i understund now wat happend

I love your pos I like your work, thanks for the update

Oh, what about those who keep following then unfollowing even if we mute the person they just keep appearing in our notifications which is annoying tbh.

perfect, I am happy with successful people like you thank for the help ... good will always be replied with goodness !!!

Thank you for your information @busy.org

Hi, i have been using busy.org to post articles but i never receive an upvote from busy.org bot. My total follower vest is 141335117. Can you please tell me what i am doing wrong

May you always succeed in helping others