I Found $63,278 of Private Keys on Steemit.com in 10 Minutes!

in #steemit7 years ago (edited)

block private key transmission for steem.png

Will exchanges like Bittrex and Poloniex help warn users against sending a private key in a memo because Steem users are accidentally sharing the posting, active, and even master passwords out in the open almost every day with transfers from exchanges with no ability to undo the mistake outside of changing the master password? We have been talking about this a lot already and I hope my post contributes alongside of those listed below! I took the time to share this today because when I originally read the posts below, I thought it was not that easy for the average user to find and exploit. I wrong! It turns out finding these keys and then using them is incredibly easy and in the comments readers are reporting Steem being stolen within minutes of leaking a key out in memos!

  1. @gtg writes memos, keys and passwords, Balrogs and Fields of Despair. Be safe. Almost $100k wasn't at https://steemit.com/steem/@gtg/memos-keys-and-passwords-balrogs-and-fields-of-despair-be-safe-almost-usd100k-wasn-t
  2. @noisy writes we just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys 😇 So... at https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so
  3. @lukmarcus writes https://steemit.com/security/@lukmarcus/important-security-information-regarding-private-memo-public-keys-and-transfers-with-statistics

The Problem


Users mostly on exchanges are sharing the Steem private posting key, private active key, and master password in memos and I would imagine sometimes in posts or comments also. These keys are being shared almost every day by a different user and often frequently by the same users.

In 10 minutes, I found $63,278 worth of Steem private keys out in the open! What is remarkable is how easy these were for me to find without even planning to look once I saw the first private key and recognized what it was! Unlike the sophistication in previous posts showing how tools were used to search the entire blockchain, I was able to find all of these keys without leaving steemit.com as soon as I noticed the first one. In fact, I probably missed 80% of the private keys using my very basic find procedure.

If a hacker chose to actively check the Steem blockchain for this loophole, it might be possible to steal of hundreds if not thousands of dollars of Steem and SBD every day along with initiating power downs, making posts, creating comments, and using voting power. If a hacker was to have a sense of humor in the process of cleaning the accounts out, the private keys could be used to set auto upvoters which would quickly provide a whale size upvote when combined with the keys being shared every day plus the ones that have already been shared. The hacker could even make posts on all of the accounts and troll comments or employ a bot network to use all the accounts together.

The Solution


To help the users I found fix the breach, I contacted all of the users I found private keys for yesterday and asked each to change the master password to reset the keys and secure the accounts. While I have a spreadsheet with the names of the users and the amount of Steem at risk, I am not sharing them here because within 24 hours, I am happy to see $53,271 of the Steem at risk through leaked keys has been secured through changing the master password. We can see when a master password was last changed on any account by viewing each account on https://steemd.com/ and checking the owner update for that user. While many keys are only for posting, these also might be the most difficult to detect problems with if a hacker set an auto upvoter might cause more problems than losing a bit of Steem because of comments or posts.

We can each immediately assist in helping our friends and fellow users by noticing what our private keys look like and immediately informing another user when we see a private key slip out in the open. Learn the private key format at https://steemit.com/@jerrybanfield/permissions by switching out my username.

Any private key slip can be fixed by changing our password at https://steemit.com/@jerrybanfield/password using our own username because switching the password updates the private keys also and makes the old ones invalid. WARNING: MAKE SURE to copy the new password out into wherever it will be stored and then paste it back in to the retype password field from there because failing to copy the password right might result in access to the account being lost! The new password totally replaces the old one. The pucker factor was 100% last time I changed my owner key ... minimizing password use and changes is ideal!

Prevention


I am talking about this and risking making it worse before it gets better both for the sake of educating users how to avoid this and to ask Poloniex and Bittrex and any other exchanges for the ability to warn or block transmission of private keys in memos. Fortunately Steemit.com already has this functionality built in!

In the meantime, learning the basics of account security as seen at https://steemit.com/steemit-guides/@jerrybanfield/the-steemit-account-security-tutorial-june-2017 can help each of us keep our keys safe and our accounts logged in by the ideal methods. This screenshot by @lukmarcus is also helpful!

Here are a few more quick Steem account security tips!

  1. Log in everywhere by default with the private posting key because this key is the lowest security. It only allows for voting, posting, commenting, etc. It has no rights to send Steem, power up or down, use the market, or even vote for witnesses.
  2. Use the active key to make transfers, vote for witnesses at https://steemit.com/~witnesses and handle anything else the posting key cannot such as running a witness.
  3. Only use the master password to change the keys as needed. Do not use the master password to sign into steemit.com or anywhere else because anyone grabbing our master password can lock us out of our account. Avoid using the master password to sign in anywhere including third party apps.

Thank You for Reading!


I hope this post was helpful today and appreciate you following me on Steemit!

Love,
Jerry Banfield

Shared on

PS: This post today is a part of my service as a full time witness for Steem! Witness votes are the most important votes we make on Steem because one vote for a witness lasts indefinitely! Would you please make a vote for jerrybanfield as a witness or set jerrybanfield as a proxy to handle all witness votes at https://steemit.com/~witnesses because when we make our votes, we feel in control of our future together? Thank you to the 1012 accounts voting for me as a witness, the 237M VESTS assigned from users trusting me to make all witness votes by setting me as proxy, and @followbtcnews for making these .gif images!

Vote Jerry Banfield Steem Witness Rank 29

OR

Set JerryBanfield proxy

Sort:  

Talking of the security in here on steemit, I guess this as you have it below has addressed that only that you did not talk about the memo key.

  1. Log in everywhere by default with the private posting key because this key is the lowest security. It only allows for voting, posting, commenting, etc. It has no rights to send Steem, power up or down, use the market, or even vote for witnesses.
  2. Use the active key to make transfers, vote for witnesses at https://steemit.com/~witnesses and handle anything else the posting key cannot such as running a witness.
  3. Only use the master password to change the keys as needed. Do not use the master password to sign into steemit.com or anywhere else because anyone grabbing our master password can lock us out of our account. Avoid using the master password to sign in anywhere including third party apps.

But to talk of that much people sharing their private key, that's majorly wrong. That much persons can't be as daft as that and I believe potential scammers ain't as weak as that not to have cleared the accounts either minutes after you dropped those spam like messages in our comments sections or very long before you even dropped the message.
Majority of us only have memo keys shared in those places you claimed to have seen private keys and I remember asking you with a reply to your message but didn't get a response.
What I know about keys on here is shared in this screenshot below (gotten from the FAQ section) and I don't see memo key equaling private key.

Keys.jpg

Steemit has high security.

True... this was an interesting read.
Lets-be-friends.gif

its true it is still a problem, and yes very dramatic if you just scroll certain accounts for these memo keys, you instantly hit that data. But there is not much one can do except making people aware through posts like yours.

Most of the times these are private keys for 'posting' only by the way, so not much harm can be done directly to the funds, but indeed to the reputation of the users. In any case it is bad and people will need to change.

Right here on Steemit the dialog box will warn you with a red warning when you put a private key formatted like string in the memo box. Bittrex could adopt that too when it detects similar behaviour...

@roelandp thank you for explaining that we already have a system here on Steemit to warn against sending private keys because I did not know that and now feel a bit foolish for not testing it before I made this post! I see now based on your suggestion that we would benefit warnings on the exchanges also and I will update the post to reflect that! I appreciate your upvote on my burrito post earlier today!

i'm huge fan of burritos :)

upvoted please do same

People should be discouraged from ever having their keys in clipboard at all. Password managers like LastPass can help prevent you from having private keys in clipboard, which exposes you to various risks (malicious and accidental).

Had 490 liquid STEEM stolen from me 10 minutes after this happened to me last month :/ hope people here take their time to read up on how to use their keys properly.

But hey, many people have payed far greater costs for lessons learned in life.

@fredrikaa thank you very much for sharing your experience here with this because seeing that you lost money just 10 minutes after this happening I hope helps prevent another from the same loss! Tip!

That's very gracious of you Jerry. Thanks a lot!
Indeed I hope I can just be of help to the community in general by sharing my experience and helping others avoid this.

For those who just want to know how it went wrong for me and how it could be avoided could check out my friend's post on it here. I hope it can help some of you.

I myself have just thought about how I can turn frustration into motivation and be even more active on the platform and deliver better on my posts.

Anyways, thanks again Jerry! It's the awesome way in which the STEEM-community is helping each-others out and co-creating a great platform that will send us to the Moon :)

Share my active key on curie for unlocking the app , following you , hope that is safe , as they were not letting me unlock with my posting key @jerrybanfiled

Your active key is used to transfer funds from your account.

Really sorry to hear that, but can you please share how your password could be stolen? @fredrikaa

upvoted please do same

Great help for the people involved

upvoted please do same

Most of the key's posted in the memo-field are just the memo-keys, which are useless as of today...
But anyway, the memo-field should just block all these keys on entry...

It happened with me once. I was using Whats app web and i login to my steemit account. I forget the password is still copied and while chatting i pasted my password on the Whats app group. Thank god nothing happened.

Did you change the password right away after that I am guessing?

Yes. I had too.

Thanks for the warning, keep up the good job!

You contacted people that have written just memo on bittrex, why?

I wonder too.

Is there a way people might not realize they put their key out in the open, or are you saying that people pasted their passwords in as memos?

My memos have only ever been articles links I want randowhale to upvote. There's no risk there right?

No, no risk.

I will stick the prevention tips as i'm currently using my master key to log in. Thanks a lot, Jerry!

Coin Marketplace

STEEM 0.35
TRX 0.12
JST 0.040
BTC 70734.57
ETH 3561.52
USDT 1.00
SBD 4.75