Compromised accounts in the STEEM blockchain // A new defender

in stem •  5 years ago  (edited)



Hello everyone =]

A couple of weeks back I reported this phishing campaign attack to steemit.com.

I was on a little vacation in Florida at that time and on the subway heading back to my place in New York I was bored ,so I started reading around about previous security issues in Steemit.
I found this old article (and other similar ones) stating that plenty of accounts had been compromised due to users accidentally pasting their private keys in transfers memo and posts.

Some inexperienced users may not know this but those accounts and their funds are at risk, because even if you delete the private key accidentally published in the post/comment/transfer, the key is still stored forever in the blockchain, no matter of what edits you did afterwards to your post/comment (and you can't edit transfers)!

That led me thinking whether this is still an issue nowadays. So I tested steemit.com copying and pasting an (old) private key in a transfer memo, in a comment and in a post.

As result, a popup came up telling me that if I proceeded I was going to compromise my account. That's good!

By the way, use Brave browser for better performance and security!!

The problem though is that other STEEM blockchain User Interfaces and Apps (eg. Partiko, Esteem, etc) do not have this leak prevention mechanism in place yet!! (I tried this myself)

So I then decided to write a script that scans the entire steem blockchain on a couple of threads in order to verify whether there are still users that after accidentally leaking their private key did not reset them.

I ran the script for a couple of days and here follows the first partial result (after scanning only 11 million blocks).

I found:

  • -
    2x PRIVATE ACTIVE KEYS
    .
  • -
    3x PRIVATE MEMO KEYS
    .
  • -
    39x PRIVATE POSTING KEYS
    .

The active keys leak is more serious as an attacker can delegate or transfer funds away from the owner's wallet.

One of the accounts accessible with those active keys has 692.702 STEEM and 3054 followers! And some accounts using a compromised posting key have thousands of followers as well.
These would be interesting preys for an attacker!

Today I sent this first list of private keys to @guiltyparties (IMO one of the most reputable Steemit Witnesses) and I am also going to send all these compromised accounts a transfer memo from another account telling them to reset their keys as soon as possible. [PS. Done]



.1. So far I only scanned about one forth of the entire STEEM blockchain. Next week I'll resume the scanning (I'm currently on holiday) and keep you posted with the results.

.2. I have also been working on a version 2 of the STEEM blockchain scanner. { By the way, any suggestions for the bot name?? =] }

  • My new bot will run 24 hours a day, 7 days a week, to automatically detect when users accidentally leak their keys.

  • The bot will automatically do the following when a private key is detected:

    • Detect the type of key trying to authenticate into Steemit.
    • For posting keys it will comment on the user's last post warning them that they compromised their posting key
    • For active keys it will put all liquid steem/sbd into savings and warn the user
    • For owner keys it will reset their account and the new keys will be privately sent to @guiltyparties so that he can give them back to the owner when he/she proves that the account is his/her.


  • Every week my bot will publish a post with some stats and updates on the compromised accounts found scanning the blockchain.
    Please feel free show your support on those posts in order to keep the bot with enough RC to perform its operations (comments, transfers to savings, etc).

Note that my bot (already in its 1st version) checks all operations published into the STEEM blockchain, not only comments and posts as other bots did in the past. This is because we don't know what Frontends and DAPPS will be created and how they will use the blockchain in the future. Meaning that private keys could still be accidentally placed in other fields of the data published (forever) into the STEEM blockchain. My bots will detect those new fields too (analyzing the raw JSON data) and prevent compromised keys from ending in the wrong hands.

Once the bot code is ready I will test it myself end to end using a dummy account. I will prove to you all how the compromised key was handled and you'll be able to verify it yourself thanks to the transparency of the platform (eg. looking at the operations on steemd.com).

If you'll want to test it out yourself as well, you will be able to do so with a dummy account or using a non-owner key so that you can then easily reset them all afterwards.


Note: 10% of the payout coming from this blog of mine now goes to @steempeak. My other bots @marcocasario, @gasaeightyfive and @cribbio as well, starting from today, will give @steempeak 50% of the payouts!


On a similar note..
I am currently re-writing those bots in order to make them faster / more reliable / more scalable and implement some other improvements that are on my backlog. I also have other ideas for other brand-new bots. So.. stay tuned!

I'll leave you with a final question: is there some type of bot that you think is missing on Steemit and should absolutely be added? Please feel free to leave your ideas and suggestions to make this platform better!! I'll do my best to work on the feasible ones ( in my little spare time! :] )

And since it's tax time already, feel free to re-use my free tool to calculate the sum of your incoming transactions and rewards. Enjoy!   =]


See you soon,
Gabe

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  ·  5 years ago (edited)

Yes, I agree, there are many users on Steem who don't use their private keys correctly. It's up to responsible dapps to try to let them know they are about to do something stupid.

UPDATE: By the way, if that's how the warning shows on steemit.com, the default button should be "Cancel", not "OK"!

Good point - Maybe one for @quochuy

(Pretty busy at the moment, I’ll try to contribute to Steemit UI too soon)

  ·  5 years ago (edited)

.

@crokkon Yes, I found out that someone already had my exact idea a few days ago.

Its owner though recently said on Discord that he turned it off so I’m happy to take his place

Yes, I have switched off noblebot. It wasn't very useful at saving keys anymore.

  ·  5 years ago (edited)

.

At the moment it takes about 25ms to detect a key after being published in a block. And I poll for new blocks every 20ms.
I plan on having at least 2 instances running in order to be as fast as possible.
Thx =}

Thanks for sharing the information.
Everyone should be double check when dealing with the keys.
I was not knowing you are the owner of other three mentioned bots also.
I have uSed then many time..

Hey, nice to see you around =]

!trdo

Congratulations @shitsignals, you successfuly trended the post shared by @gaottantacinque!
@gaottantacinque will receive 1.66281863 TRDO & @shitsignals will get 1.10854575 TRDO curation in 3 Days from Post Created Date!

"Call TRDO, Your Comment Worth Something!"

To view or trade TRDO go to steem-engine.com
Join TRDO Discord Channel or Join TRDO Web Site

!shop
$trdo
!BEER
for you

Congratulations @eii, you successfuly trended the post shared by @gaottantacinque!
@gaottantacinque will receive 0.04194788 TRDO & @eii will get 0.02796525 TRDO curation in 3 Days from Post Created Date!

"Call TRDO, Your Comment Worth Something!"

To view or trade TRDO go to steem-engine.com
Join TRDO Discord Channel or Join TRDO Web Site

Thanks buddy,

Long time no see =}

Now I know your real name.

Hey @eii,
Dude, you can't keep using bidbots for upvotes anymore.
There are new rules on Steemit (see #newsteem).
If you keep doing so you will receive heavy downvotes, I have seen that you are on the watch list already.
You can only use bidbots that do not give you ROI (eg. the latest version of @tipu). You can only buy votes to get some visibility to get upvotes from other users. But you can't get into trending with a low quality post or you may still get heavy flags.

Take care =]

Thank you my friend for your solicitude,
The big problem is that there are no precise rules, no general stories with unspecified values, deadlines and age of the post.
Another question is who invented these rules.
There are bots in the Steem (Steemit), which means they are legal for the platform.
If not, ban them from the platform.
Not to mention that there is a double standard for users, those who do not reach 1USD are punished with Downvotes, and those with 2USD and above no one hooks them.
My posts already have Beneficirie

Capture.JPG

I wish you much success.

!BEER
for you

who invented these rules

The community for the sake of the platform and value of steem

There are bots in the Steem (Steemit), which means they are legal for the platform

They are legal as far as they don't drain the reward pool and don't put low quality posts in trending as that affects the whole platform if it's seen as a low quality one by new/external users.

those with 2USD and above no one hooks them.

I have seen many of these downvoted to cents

I'm not sure that your 5% beneficiary will be enough I'm afraid.

PS. Looking at your posts it does not look to me that you are abusing bid bots so you should be fine, I think.

Take care

Thank you!

$trdo

!BEER


Hey @gaottantacinque, here is a little bit of BEER from @eii for you. Enjoy it!

Learn how to earn FREE BEER each day by staking.

=]

  ·  5 years ago 

你好鸭,gaottantacinque!

@eii给您叫了一份外卖!

@annepink 萍萍 迎着飓风 开着宝马 给您送来
新年快乐!

吃饱了吗?跟我猜拳吧! 石头,剪刀,布~

如果您对我的服务满意,请不要吝啬您的点赞~
@onepagex

Sorry, out of BEER, please retry later...

Congratulations @gaottantacinque, your post successfully recieved 1.70476651 TRDO from below listed TRENDO callers:

@shitsignals earned : 1.10854575 TRDO curation
@eii earned : 0.02796525 TRDO curation


To view or trade TRDO go to steem-engine.com
Join TRDO Discord Channel or Join TRDO Web Site

Thanks for warning people. My posting key was online on purpose, to create a public testing account. But I changed the password now.

Good. Thanks for reaching out.   =]