Writing password in public let to theft of STEEM

in #steemit7 years ago (edited)

As most of you might know from TRENDING page - @noisy with a little bit of my help found a big problem with memos in transfers. We thought this post will be a BIG WARNING SIGN for all users but I guess it’s not enough.

Only a few minutes ago I have found new password and I think it was too late. User @snoozley transfered 899.98 STEEM from Poloniex with his password in memo. An hour later all of that STEEM were transferred out to Poloniex with memo 4709955ff263f9e4.

Account of @snoozley was hacked. Someone saw the password and used it.

And the worst part of this problem... look at feed page of @snoozley. He had @noisy post right in front of his eyes.

I have changed his password. He can still recover account as it’s written in @noisy post: https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so

STEEMIT: Please find a solution for that problem!

Not everything can be fixed by steemit. When people writes their passwords in public in other sites (like Poloniex) no one can make sure, that no harm will be done. If a user would publish in public private key of a bitcoin, similar thing would happen.

#steem #money #hack #security
7 years ago in #steemit by
$0.99
  • Past Payouts $0.99, 0.00 TRX
  • - Author $0.79, 0.00 TRX
  • - Curators $0.21, 0.00 TRX
31 votes
Reply 14
Sort:  
  • Trending
    • [-]
     7 years ago 

    You guys did some great work discovering this . The problem is you posted your scrypt in the story. now any jack ass can use it every day to hack any person that makes a mistake.

    $3.02
    • Past Payouts $3.02, 0.00 TRX
    • - Author $2.50, 0.00 TRX
    • - Curators $0.52, 0.00 TRX
    2 votes
    Reply
    [-]
     7 years ago 

    Fix on steemit was already deployed when that happen. @snoozley used own password on poloniex, not on steemit.

    Also, I am pretty sure that my script was not used for this attack, since it was wrote in a way to analyze all transactions and all memos against all public keys. All computations take hours on multicore machines. Password was changed much faster by custom (not mine) script, or manually.

    [-]
     7 years ago 

    Someone would find it sooner or later :(

    [-]
     7 years ago 

    In my opinion the best way to handle these sorts of things is to privately reach out to the developers to tell them about the bug and give them a week or two to fix the problem. Then if they don't fix it, go public with the issue. Of course, posting your discovery after it was fixed isn't as flashy a headline and may not net a $6K post.

    $0.00
      Reply
      [-]
       7 years ago 

      It's not really a bug, it's simply users who think "memo" means "your steemit password" for some crazy reason.

      $0.77
      • Past Payouts $0.77, 0.00 TRX
      • - Author $0.59, 0.00 TRX
      • - Curators $0.18, 0.00 TRX
      2 votes
      Reply
      [-]
       7 years ago 

      Fair enough. At the end of the day however, it's a vulnerability that could be fixed. Something as simple as a check to see if the value put in a publicly visible field looks like a "steemit password". I suppose we could say "to bad, so sad" and not do anything about it. But as Steemit grows, we will get more and more users, who are less and less savvy, and incidents like these, rightly or wrongly, can be misinterpreted by the public as "bugs", as I just did.

      $0.00
        Reply
        [-]
         7 years ago (edited)

        as simple as a check to see if the value put in a publicly visible field looks like a "steemit password"

        before I published a post, steemit already had patch provided me, which did not only what you said, but also checked whether a memo is a one of private key. Also, before @snoozley compromised his password, a fix was already deployed.

        But password was sent in memo from poloniex. Steem developers cannot fix poloniex or/and all other exchanges.

        $0.00
          Reply
          [-]
           7 years ago (edited)

          So you and lukmarcus saw the vulnerability in Steemit, fixed it, told Steemit, they fixed it, and you published this article to tell everyone: https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so That makes sense. Good on you. Great service to the community. Thank you.

          Then lukmarcus published this post (the one I'm typing this comment in), in which he reveals the vulnerability still exists when transfers are made from outside of steemit, e.g., from Poloniex. lukmarcus says: "STEEMIT: Please find a solution for that problem!", you say "developers cannot fix poloniex or/and all other exchanges".

          So which one is it? Steemit needs to fix it, or they can't? I realize you and lukmarcus are different people, but clearly you were collaborating in your original posting. You're not on the same page of music anymore.

          I agree with you that Steemit cannot fix the problem, but it makes no sense for lukmarcus to go public about it, he accomplishes nothing but a) alerting hackers that the problem exists. Which is exactly what happened, and now STEEM has been stolen, and b) lukmarkus directly benefits from a potential sequel to your original post. But not so much this time. ($0.21 as of this response).

          So I stand corrected on my comment. When Steemit could fix the problem, exactly the right thing was done. I apologize for implying otherwise. But now I revise that comment, andagree with @pfunk. All lukmarcus done is help the thieves. "Someone would find it sooner or later" is not an excuse, and seems quite lame when he potentially benefits from making the issue known publicly.

          I admit I may not have all the facts from the two posts I have read. I'm happy to be enlightened.

          $0.00
            Reply
            [-]
             7 years ago 

            I misjudged few things in this post. What we know right now: mistake was made by another user. Not everything can be fixed by steemit. When people writes their passwords in public in other sites (like Poloniex) no one can make sure, that no harm will be done.

            $0.00
              Reply
              [-]
               7 years ago 

              Very valid point pointing out that it is not up to steemit to fix every issue that we may create. Great work in all of this, I kind of feel bad letting your team die in the STEEM-Pocalypse game now... LOL!

              On a side note, do you think you and @kambrysia could give me a few sentences about how excellent it was to win hundreds of dollars just by playing a game on steemit? I was going to feature the previous winners in a post one this season is done. Also, do you have a photo of you two that I could use for that?

              $0.00
                Reply
                [-]
                 7 years ago 

                Congratulations @lukmarcus! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

                Award for the number of comments received

                Click on any badge to view your own Board of Honnor on SteemitBoard.
                For more information about SteemitBoard, click here

                If you no longer want to receive notifications, reply to this comment with the word STOP

                By upvoting this notification, you can help all Steemit users. Learn how here!

                $0.00
                  Reply

                  Coin Marketplace

                  STEEM 0.19
                  TRX 0.15
                  JST 0.029
                  BTC 63964.02
                  ETH 2592.87
                  USDT 1.00
                  SBD 2.75