SteemIt.com is to be hacked? Security advisory.
Hi there, steemers. As we all know security matters. Much.
As we can see steemit.com has been the fastest growing community lately. People of different countries, nations, languages and opinions join us every minute. I personally encountered two different serious errors on the website steemit.com today.
What does this say? That website steemit.com is not ready for this count of users.
My opinion it is not ready for hackers or spamers too. What if someone makes robots with a parser (on python or etc). Facebook accounts can be bought online. This is not a problem. So robots upvote each other, post random content and earn steems.
It is easy for a programmer. DDOS-ing steemit.com is even easier now. These are only two simple examples of intrusion that will influence comminuty. But I am sure there are more possibilites. Everybody remembers the DAO and what happened to it.
So what can we do?
First of all we can be more careful, and secure your personal steem.
How to do it is written here:
How to make a very secure owner key for cold storage: Your Steem account is worth money! How to secure it with a new owner key to keep it yours forever
How to use or make a secure enough posting key and switch to using it to log in: How to login with your posting key (and why this is important)
Next advise is: do not give your passwords to anyone.
Check the SSL sertificate for steemit.com (press green lock to the left of address now) and always check it to be like now BEFORE typing you password.
Moving on. I think in the community there are many security specialists and we can ask them to try to hijack the steemit.com for good.
Report bugs.
How to do it is written here: STEEM Bug Bounty Program - How to reports bugs and new ideas
Also other services like Telegram provide a decent payment for those who can hack into their system for good. Maybe and here everyone should chip in 1 steem for a good case as a payout?
And if you notice something suspicious you should tell other users so we can notice it. If you're not being heard here, fell free to join Telegram communities (links are at the end of this article). All questions get answers there.
Don't forget to check my newer post where I reveal fraud schemes in SteemIt.
What do you think? Post in comments.
There is no problem with Facebook bots. To withdraw account should multiply SP by factor of 10.
please report this on
steemit-bugstag, as was described here:https://steemit.com/steamit/@noisy/steem-bug-bounty-program-how-to-reports-bugs-and-new-ideas
Wow, thanks, that's useful. I updated my post.
Bugs I met seem to be gone and fixed. If I meet'em again I will report them.
thanks for mentioning my post in yours. I have just noticed that! I am not sure, is it only for me or all links in your post are not clickable.
"Все убытки пострадавшим от атаки пользователям будут возмещены в полном объеме" http://forklog.com/v-rezultate-ataki-na-steemit-ukradeno-okolo-85-000/
Thanks for some of this. I was wondering about how secure the login process is. The bandwidth occurrences are just a scaling process.
In addition to this post I want to discuss need add 2 FA to STEEMIT
https://steemit.com/security/@on0tole/on-the-need-add-2fa-to-steemit
Thanks for the advisory notes...
I've just finished SteemStream.com - a live peek on the realtime data on Streemit (posts, upvotes, money transfer, mining, new users, comments):
https://steemit.com/ru/@on0tole/soobshestvo-steem-v-telegram
@vl248, looks like you called it!
Yeah seems like it. @ned upvoted my post the day I posted so he read it and was prepared :D
Also better such a small hack at project early days then hack that will kill the project later.
I think this is only for good.
You may also want to mention how useful and important a password manager is. Cold paper wallets are great, but most users will be fine with a computer using updated security patches, updated antivirus, and a good password manager. Using the browser plugin also protects against password phishing sites because they will not load in a password if the domain doesn't match.