Will exchanges like Bittrex and Poloniex help warn users against sending a private key in a memo because Steem users are accidentally sharing the posting, active, and even master passwords out in the open almost every day with transfers from exchanges with no ability to undo the mistake outside of changing the master password? We have been talking about this a lot already and I hope my post contributes alongside of those listed below! I took the time to share this today because when I originally read the posts below, I thought it was not that easy for the average user to find and exploit. I wrong! It turns out finding these keys and then using them is incredibly easy and in the comments readers are reporting Steem being stolen within minutes of leaking a key out in memos!
- @gtg writes memos, keys and passwords, Balrogs and Fields of Despair. Be safe. Almost $100k wasn't at @gtg/memos-keys-and-passwords-balrogs-and-fields-of-despair-be-safe-almost-usd100k-wasn-t
- @noisy writes we just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys 😇 So... at @noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so
- @lukmarcus writes @lukmarcus/important-security-information-regarding-private-memo-public-keys-and-transfers-with-statistics
The Problem
Users mostly on exchanges are sharing the Steem private posting key, private active key, and master password in memos and I would imagine sometimes in posts or comments also. These keys are being shared almost every day by a different user and often frequently by the same users.
In 10 minutes, I found $63,278 worth of Steem private keys out in the open! What is remarkable is how easy these were for me to find without even planning to look once I saw the first private key and recognized what it was! Unlike the sophistication in previous posts showing how tools were used to search the entire blockchain, I was able to find all of these keys without leaving steemit.com as soon as I noticed the first one. In fact, I probably missed 80% of the private keys using my very basic find procedure.
If a hacker chose to actively check the Steem blockchain for this loophole, it might be possible to steal of hundreds if not thousands of dollars of Steem and SBD every day along with initiating power downs, making posts, creating comments, and using voting power. If a hacker was to have a sense of humor in the process of cleaning the accounts out, the private keys could be used to set auto upvoters which would quickly provide a whale size upvote when combined with the keys being shared every day plus the ones that have already been shared. The hacker could even make posts on all of the accounts and troll comments or employ a bot network to use all the accounts together.
The Solution
To help the users I found fix the breach, I contacted all of the users I found private keys for yesterday and asked each to change the master password to reset the keys and secure the accounts. While I have a spreadsheet with the names of the users and the amount of Steem at risk, I am not sharing them here because within 24 hours, I am happy to see $53,271 of the Steem at risk through leaked keys has been secured through changing the master password. We can see when a master password was last changed on any account by viewing each account on https://steemd.com/ and checking the owner update for that user. While many keys are only for posting, these also might be the most difficult to detect problems with if a hacker set an auto upvoter might cause more problems than losing a bit of Steem because of comments or posts.
We can each immediately assist in helping our friends and fellow users by noticing what our private keys look like and immediately informing another user when we see a private key slip out in the open. Learn the private key format at @jerrybanfield/permissions by switching out my username.
Any private key slip can be fixed by changing our password at @jerrybanfield/password using our own username because switching the password updates the private keys also and makes the old ones invalid. WARNING: MAKE SURE to copy the new password out into wherever it will be stored and then paste it back in to the retype password field from there because failing to copy the password right might result in access to the account being lost! The new password totally replaces the old one. The pucker factor was 100% last time I changed my owner key ... minimizing password use and changes is ideal!
Prevention
I am talking about this and risking making it worse before it gets better both for the sake of educating users how to avoid this and to ask Poloniex and Bittrex and any other exchanges for the ability to warn or block transmission of private keys in memos. Fortunately Steemit.com already has this functionality built in!
In the meantime, learning the basics of account security as seen at @jerrybanfield/the-steemit-account-security-tutorial-june-2017 can help each of us keep our keys safe and our accounts logged in by the ideal methods. This screenshot by @lukmarcus is also helpful!
Here are a few more quick Steem account security tips!
- Log in everywhere by default with the private posting key because this key is the lowest security. It only allows for voting, posting, commenting, etc. It has no rights to send Steem, power up or down, use the market, or even vote for witnesses.
- Use the active key to make transfers, vote for witnesses at https://steemit.com/~witnesses and handle anything else the posting key cannot such as running a witness.
- Only use the master password to change the keys as needed. Do not use the master password to sign into steemit.com or anywhere else because anyone grabbing our master password can lock us out of our account. Avoid using the master password to sign in anywhere including third party apps.
Thank You for Reading!
I hope this post was helpful today and appreciate you following me on Steemit!
Love,
Jerry Banfield
Shared on
PS: This post today is a part of my service as a full time witness for Steem! Witness votes are the most important votes we make on Steem because one vote for a witness lasts indefinitely! Would you please make a vote for jerrybanfield as a witness or set jerrybanfield as a proxy to handle all witness votes at https://steemit.com/~witnesses because when we make our votes, we feel in control of our future together? Thank you to the 1012 accounts voting for me as a witness, the 237M VESTS assigned from users trusting me to make all witness votes by setting me as proxy, and @followbtcnews for making these .gif images!