You are viewing a single comment's thread from:
RE: Hack Alert : Users exposing private keys in memo while transfer !
Although I agree with your safety concerns, I do not think blogging about this openly is the right way to go, especially so in the Steem ecosphere where real money is involved.
Maybe deleting the mongoDB queries on your post could help protect the wallets involved from getting robbed by scriptkiddies.
Edit: self-upvoted for visibility / preventing people getting robbed.
While I agree that sensitive topics should be handled carefully, I think that it is hard to find a better way to expose such an issue on Steemit. Maybe contacting Steemit Inc. directly instead of blogging it...?
Two aspects are important here:
-1- implementing your memo rejection suggestion (via [email protected])
-2- protecting the accounts / wallets involved, via notifying them (via email if possible) and urgently suggesting to change their keys ASAP.
The accounts I have exposed have changed their master keys. I have confirmed that. As for the queries, similar queries are available in countless blogs on steemit itself. This is now new.
I get your point. Hope you get mine !!
I have not exposed the real queries, with these anybody will have a little hard time.
The actual queries I used let me check character length there itself.
Talking about it more could actually save users from getting robbed. Steemit Inc is well aware of the problem. They have included warning signs. But they can't do anything about memo people leave on bittrex while transferring them to steem account. This shows in their memo field non encrypted and ready to be read by anyone.