CommunitiesEcosystem
Search
Login
Signup
Write a post
Switch dark

You shall not (leak your) pass!

70
7 years ago
in#steem

Another account was (almost) hacked and three accounts were vulnerable for weeks. 167 valid private keys are still publicly available.
Why?
Because people are putting weird things into memo fields.

Well... "weird things" are not a problem, but when you put there your private active or owner key (or other types of sensitive information), you might end up regretting this until the end of the blockchain.
That means: FOREVER.

passwords

Have you entered your key in a wrong place?
Be sure to remember that this is when you lose control over your account.

A few seconds later, a malicious user will take your key and replace it with his own.

If that was your owner key or master password, all you can do is start the account recovery process, which can take days or weeks, but ** it has to be completed within 30 days** or your account is lost forever.
It might or might not work and you might or might not be eligible to use it.
After all, you have just lost your account, so don’t expect miracles.

It that was your active key, you can still use your owner key or master password to quickly change the leaked key but...

The clock is ticking

  • Within the next three seconds, you will lose all your STEEM and SBD that were not frozen in savings accounts. (Are you that fast?)
  • Three days after your failure, you will lose all the funds you have in your savings accounts too, if you haven’t been able to regain access to your account yet (How about not losing it in the first place?)
  • Also, Power Down was initiated right away, so week after your failure and every week from now on you will lose 1/13 of your Steem Power until your account becomes an empty shell. (Oh, my mistake, it's not "your account" anymore.)

Scary, isn't it?

Such thing happened almost happened to one of the users: @photo-trail
(not to mention three others - more details later on)

Fortunately, while monitoring the blockchain I was alerted in time and I've changed that key myself.
(special thanks to @almost-digital for the useful tools he provided)

I sent a message to the user:

"You have leaked your active private key to the public putting your account at risk. Your key was changed to prevent stealing your funds. Please change your active key using your owner key or master password. Be safe."

What was at stake in that particular account?
$30 worth of liquid assets (almost all in SBD)
and almost 2800 Steem Power
Estimated Account Value: $4,355.64

Extraordinary? No. Not at all.
Not long ago, @noisy & @lukmarcus gained access to 11 accounts with $21,749 on them
Their post call the attention of users to the issue, earned thousands of dollars, received thousands of upvotes, hundreds of comments and tens of thousands views. Their story was even featured on a popular Polish site - Niebezpiecznik

So what? Nothing. It just happened again.

Even though it was much less likely, because many nodes are now checking memos after #1181 was implemented.

"Transfers with the sender's private key information will be rejected with a soft fork. The error message recommends the sender change their keys in such an event. The CLI wallet does a similar check against the sender's keys and the keys in the wallet."

So what about other keys that are available publicly and still valid?
I made a quick scan that revealed another 170 keys.
167 memo private keys. There's no imminent or direct risk, at least not now, but if someone used their memo key in a wrong way, there's a good chance that they are putting their assets at risk by improperly handling their secrets.
Unfortunately, there were also two active keys and one master password.
@amrsaeed - the key was leaked 56 days ago during a transfer to poloniex, @noisy has already included this case in his post, 34 days ago this user was warned by @lukmarcus about the leak
@gary911 - the key was leaked 41 days ago during a transfer to poloniex, 34 days ago the user was warned by @lukmarcus about the leak
@savagem13 - the master password was leaked 26 days ago during a transfer to bittrex, 5 days ago someone used their password to change account properties to:

"{"profile":{"name":"Savage Money","about":"This Account Has Been Hacked! Please Change Your Password. Your Money is Safe"}}"

(which is not true, because after you have leaked your password/key, your money is not safe)

Surprisingly, none of those keys were changed yet (until today, of course, by me), but that doesn't guarantee that the keys were not under control of any malicious third parties or that the actions made after those leaks and before the keys were changed were made by their original owners. Maybe the malicious users were just waiting for a bigger amount of liquid assets to be available on those accounts. You never know.

Estimated Total "Secured" Assets: $12,000

Another case, another lesson.
This time, again, everything ended (relatively) well.
Who was paying attention?
Are we safer now?
Are you?

No.

It will happen again, one way or another.
Please make sure that it will not happen to you.

TL;DR:

You will lose your funds if you disclose your private key.

(Try to guess: Why is it called PRIVATE?)

Do not learn from your own mistakes, learn from the mistakes of other users.

"Keep it secret, keep it safe"


If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf



Steem On
Be Safe

steemsecuritycryptocurrencymoneystory
7 years ago
gtg70
via steemit
$ 263.37
603
H2
H3
H4
3 columns
2 columns
1 column
183 Comments