IMPORTANT SECURITY INFORMATION regarding private memo / public KEYS and transfers (with statistics!)

in #security7 years ago

It’s been 2 weeks since @noisy posted his text about not-hacking 11 Steemit accounts. It was the top 1 trending post for a week and I think at some point everyone saw it. And they probably did.

Private memo keys

First let me quote @noisy:

There are 4 pairs of keys: active, owner, posting and memo. Every pair has public key and private key. Under any circumstances, you should never expose any of your private keys.

As I wrote in a post, right now exposing a private memo key is not very dangerous. But it was said few times, that in the future memo-keys will be used to encrypt and decrypt private messages. So basically every your conversation encrypted with your memo-key would be basically public for everyone who poses your private memo key.

Also... even right now everyone with your private memo key could try do some kind of social-engineering attack, by pretending that attacker is you (because technically speaking only you should be able to sign message with your private key).

So... no, your account was not hacked right now, but with private memo key exposed, your account could be attacked in a moment when private-memo-keys would gain some new role in Steem ecosystem.

But many users, like @dollarvigilante, didn’t take it seriously.

And those users didn’t change their keys. No reason why.

Not in blockchain?

I have found one setting which is not stored in blockchain. So it means it can be changed in the user’s profile with ANY private key. This setting is viewing the Not safe for work (NSFW) content.

To show you how it works I have found user with NSFW content (one post without any images - https://steemit.com/@hungrylilkitten) and I will use @dollarvigilante private memo key as an example.

So are you still going to wait with changing private keys for something worse to happen?

A lot of memo keys

You might think there are only a few of those private memo keys so no need to worry. Let me surprise you - there are dozens of them.

Let’s have a look at the number of posted private memo keys (end date is 2017-06-19 17:27:12).

MonthKeys postedPercent of all
07.20161613,68%
08.20161815,38%
09.201675,98%
10.201675,98%
11.201610,85%
12.201621,71%
01.201710,85%
02.201700,00%
03.201743,42%
04.201743,42%
05.20172319,66%
06.20173429,06%

First, I’m going to divide it into two categories: Keys posted and changed some time later by user OR keys posted with no response from user till now.

Posted...Number of keysPercent of all
... and changed later4236.75%
... and NOT changed later7463.25%

Let’s set a point in time called POST. POST is a date when @noisy published his text. Data shown above will be divided into more categories:

Posted...Number of keysPercent of all
...before POST and changed before POST2823.93%
...before POST and changed after POST1311.11%
...after POST and changed after POST21.71%
...before POST and not changed5143.59%
...after POST and not changed2319.66%

Posted before POST and changed before POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@business2016-07-04 20:59:092016-07-16 08:53:12
@katiasan19782016-07-15 14:53:032016-07-15 15:02:18
@crypt02016-07-15 20:30:422016-07-21 18:14:36
@pinkisland2016-07-20 05:24:152016-07-24 02:36:45
@jl7772016-07-26 23:06:242016-07-27 17:36:15
@theanubisrider2016-07-27 19:26:152016-08-05 02:56:27
@toxichan2016-07-29 05:03:512016-08-20 13:36:36
@jl7772016-08-01 11:52:542016-12-29 08:58:39
@zhuvazhuva2016-08-03 18:39:212016-10-17 07:50:12
@bdavid2016-08-04 00:20:032016-08-12 22:15:21
@mandibil2016-08-09 21:07:212016-08-14 12:52:36
@konti2016-08-12 15:42:122016-08-12 15:44:39
@crypt02016-08-13 19:29:242017-05-21 07:50:12
@instructor21212016-08-16 22:56:212016-10-02 06:57:30
@infovore2016-08-29 10:32:512016-09-19 16:38:15
@mohammed1232016-09-05 08:17:302016-09-06 10:22:33
@mohammed1232016-09-06 17:40:392016-09-06 17:42:12
@theprophet02016-09-12 01:00:122016-10-08 01:03:42
@mohammed1232016-09-14 17:48:572016-09-14 17:57:39
@lichtblick2016-10-01 14:17:062016-10-09 07:45:09
@hien-tran2016-10-13 08:04:572016-11-19 08:33:36
@justtryme902016-10-17 02:27:512016-10-26 02:27:57
@jacobts2017-03-21 10:46:242017-05-08 18:43:39
@berovvv2017-05-13 08:18:092017-05-15 11:50:57
@samdaman2017-05-14 03:14:032017-05-21 10:34:57
@dancingstar2017-05-22 15:41:212017-06-04 01:52:00
@cryptonouvelles2017-05-28 23:47:122017-05-29 01:45:57
@tombstone2017-06-06 14:18:032017-06-06 15:37:06

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@mohammed12311 min 33 s
@konti12 min 27 s
@mohammed12318 min 42 s
@katiasan197819 min 15 s
@tombstone11 h 19 min 3 s
@cryptonouvelles11 h 58 min 45 s
@jl777218 h 29 min 51 s
@mohammed12321 d 2 h 5 min 3 s
@berovvv23 d 3 h 32 min 48 s
@pinkisland23 d 21 h 12 min 30 s
@mandibil24 d 15 h 45 min 15 s
@crypt025 d 21 h 43 min 54 s
@samdaman17 d 7 h 20 min 54 s
@lichtblick17 d 17 h 28 min 3 s
@theanubisrider28 d 7 h 30 min 12 s
@bdavid18 d 21 h 55 min 17 s
@justtryme9089 d 0 h 0 min 6 s
@business211 d 11 h 54 min 3 s
@dancingstar612 d 10 h 10 min 39 s
@infovore221 d 6 h 5 min 24 s
@toxichan122 d 8 h 32 min 45 s
@theprophet0326 d 0 h 3 min 30 s
@hien-tran137 d 0 h 28 min 39 s
@instructor2121646 d 8 h 1 min 9 s
@jacobts148 d 7 h 57 min 15 s
@zhuvazhuva474 d 13 h 10 min 51 s
@jl7772149 d 21 h 5 min 45 s
@crypt01280 d 12 h 20 min 48 s

Posted before POST and changed after POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@alao2016-07-11 15:50:062017-06-11 17:44:57
@saramiller2016-09-14 20:54:272017-06-07 17:26:06
@mrgreen2016-10-01 11:19:332017-06-12 13:48:36
@lichtblick2016-10-10 05:48:152017-06-07 15:43:03
@tomino2016-10-27 10:55:512017-06-12 16:17:27
@trump2016-12-19 02:05:452017-06-08 12:40:15
@marionjoe2017-03-23 12:23:362017-06-11 15:08:48
@steemshop2017-04-22 02:28:212017-06-09 10:52:54
@kingofdew2017-05-07 21:50:092017-06-12 13:48:36
@worldclassplayer2017-05-09 09:08:392017-06-10 22:49:18
@wthomas2017-05-24 21:57:302017-06-07 21:01:03
@golgappas2017-06-05 17:12:302017-06-09 17:01:57

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@golgappas53 d 23 h 49 min 27 s
@wthomas113 d 23 h 3 min 33 s
@worldclassplayer532 d 13 h 40 min 39 s
@kingofdew735 d 15 h 58 min 27 s
@steemshop148 d 8 h 24 min 33 s
@marionjoe480 d 2 h 45 min 12 s
@trump1171 d 10 h 34 min 30 s
@tomino1228 d 5 h 21 min 36 s
@lichtblick15240 d 9 h 54 min 48 s
@mrgreen2254 d 2 h 29 min 3 s
@saramiller1265 d 20 h 31 min 39 s
@alao1335 d 1 h 54 min 51 s

Posted after POST and changed after POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@deividas2017-06-10 00:19:152017-06-10 21:41:24
@lulzim2017-06-11 14:22:002017-06-11 15:08:48

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@lulzim346 min 48 s
@deividas321 h 22 min 9 s

Posted before POST and not changed

Table sorted in ascending order of memo key posted:

UserMemo key postedTimes used
@onighost2016-07-09 22:17:364
@kakradetome2016-07-13 23:45:0911
@vovaha2016-07-15 21:59:481
@niliano2016-07-19 12:16:452
@farinspace2016-07-19 14:02:241
@francoisstrydom2016-07-19 14:17:332
@qamarpinkpanda2016-07-29 14:12:091
@pinkisland2016-07-29 14:18:152
@romanskv2016-08-06 23:53:301
@slimjim2016-08-07 19:12:001
@malyshew19732016-08-08 01:13:391
@athleteyoga2016-08-11 02:28:1211
@murat2016-08-12 08:34:451
@rawmeen2016-08-13 08:57:004
@tee-em2016-08-20 19:30:452
@smisi2016-08-22 13:16:033
@lostnuggett2016-08-23 16:21:152
@dollarvigilante2016-08-31 02:10:4510
@cryptoeasy2016-09-07 10:54:001
@iaco2016-09-28 17:59:181
@richarddean2016-10-27 13:33:241
@leesmoketree2016-11-11 21:42:5437
@luani2016-12-12 02:48:151
@nikolad2017-01-21 09:57:002
@colombiana2017-03-20 17:14:391
@beeridiculous2017-03-22 09:01:211
@norbu2017-04-03 10:44:243
@inphinitbit2017-04-18 06:27:242
@maxfuchs2017-04-18 15:34:481
@sraseef2017-05-02 18:17:451
@surpriseattack2017-05-09 05:22:031
@churchsoftware2017-05-10 21:19:481
@thunderberry2017-05-11 19:03:152
@hithere2017-05-14 11:09:213
@walcot2017-05-14 19:17:362
@bryguy2017-05-17 06:34:482
@mama-c2017-05-18 17:26:451
@blockiechain2017-05-19 02:42:331
@theofphotography2017-05-20 10:46:362
@writemore2017-05-20 16:55:121
@nathanhollis2017-05-22 15:51:333
@jellos2017-05-26 08:35:452
@coincravings2017-05-29 09:36:512
@chuckles2017-05-29 10:39:571
@amrsaeed2017-05-31 18:10:151
@dethie2017-06-03 03:42:511
@goldrush2017-06-03 10:10:002
@bloodhound2017-06-03 16:33:452
@datkrazykid2017-06-04 04:08:421
@mkultra87f2017-06-06 14:21:001
@lopezro2017-06-06 17:32:031

Posted after POST and not changed

Table sorted in ascending order of memo key posted:

UserMemo key postedTimes used
@cryptowaffles2017-06-07 19:12:391
@webwizards2017-06-09 12:00:091
@bitlamb2017-06-10 12:07:001
@aresmari2017-06-10 17:10:331
@dancingstar2017-06-11 01:37:031
@dattabitcoin2017-06-13 02:50:421
@wakeupworldnews2017-06-15 12:39:061
@gbonikz2017-06-15 14:50:212
@chrizbiz2017-06-15 20:16:121
@gary9112017-06-16 05:36:451
@hingedthomas2017-06-16 11:07:392
@edie842017-06-16 13:38:361
@brandonas2017-06-16 14:08:032
@imccormick822017-06-16 15:24:031
@marshallevans2017-06-16 20:13:125
@rottdean22017-06-16 21:43:121
@sandman19232017-06-16 22:31:241
@cwrz19762017-06-17 02:55:093
@murtazasyedm2017-06-17 18:37:422
@elfictron2017-06-18 14:02:362
@big-ginger-fuck2017-06-18 23:30:572
@acarl2112017-06-19 02:52:062
@neilism2017-06-19 02:56:331
@d-pend2017-06-19 17:27:122

Can I help?

After publishing this post I’m going to send every user with not changed key a minimal SBD transfer with a link to this text and information CHANGE YOUR PASSWORD. I hope this will work and at least some of those users will change their keys.

I’m going to keep an eye on keys updates and after a week or two data will be gathered to create new statistics.

What is Memo?

But there is also a second issue that I would like to talk about. Public keys and how users use them as a habit in the wrong places. By wrong places I mean mostly Memo Fields when withdrawing Steem and SBD from markets to Steemit.

I’m going to use Bittrex as an example. I was sending 1 SBD to my Steemit account.

And I received it like this (problem with apostrophe):

I did it to show you that every Memo Field is public. All that info can be found in your Wallet. If you write something in Memo Field during transfer from market to Steemit it will stay in blockchain forever. And sooner or later somebody is going to see that and maybe even use against you.

BECAUSE MEMO FIELD IS NOT THE SAME AS MEMO KEY.

Memo Field is a place for any information you want. It’s a place to write something like My daily update 2017-06-21 or Gift from aunt Betty. This field is for you.

All keys can be found in your Wallet and then Permissions. Those long strings of characters should stay in that place if you don’t know what you can do with them. And Memo key, as you can see, is used to create and read memos.

Public keys

I’m talking about all of this because if somebody used at least once a public key in Memo Field, there is a possibility that next time maybe for mistake user will paste private key. And that’s not good.

There are a lot of tutorials on Steemit with incorrect information. People read them and they make the same mistakes. Here are some the most popular posts that can be found using Google:

You know how many users used public key at least once to transfer Steem and SDB?

Transfers fromNumber of users
@bittrex743
@blocktrades13
@changelly46
@freewallet18
@openledger19
@poloniex1053

A lot of them. And there are more than 300 transfers between users!

The best part - many people after the first transfer with public key assume it’s the only good way and they duplicate this error over and over again.

And here comes bigger numbers:

Public keys usedUsers
14 times6 users
13 times6 users
12 times11 users
11 times6 users
10 times17 users
9 times18 users
8 times29 users
7 times36 users
6 times53 users
5 times64 users
4 times88 users
3 times198 users
2 times454 users
1 time620 users

THIS IS FULL BLACK LIST: IF YOU CAN FIND YOURSELF ON IT THAN YOU COULD BE THE ONE WITH PRIVATE KEY POSTED INSTEAD - REMEMBER THAT!

If you want to know more about public and private KEYS on Steemit - look at @noisy profile.

If you like this text - please follow me!

Sort:  

Good job !

Just recieved your warning in my wallet will send you some steem back as appreciation!thanks buddy!!!

Thanks! And watch out in future :)

You listed me, but I have never transferred with MY memo key, only the one provided by an exchange. Don't care about that one, that's their problem.

(I did use my memo key a long time ago, but it was pointed out to me then not to do that and I changed the key asap).

You have used your private memo key 8 times before changing it (9 d 0 h 0 min 6 s after first time used).

Yeah that should be from many months ago. It was @anyx who brought it to my attention that this was something I should not use.

Awesome post and great you have alerted the compromised accounts.

Much love man, thank u

After publishing this post I’m going to send every user with not changed key a minimal SBD transfer with a link to this text and information CHANGE YOUR PASSWORD. I hope this will work and at least some of those users will change their keys.

I respect so much, man.

Hi, i did changed it the same day that i used it, thanks anyways for the info!

Thank you very much. I got your message and changed it. God bless and take care 😊

I see lot of work you put in this post.
Thenks for info, and for remind how importent keys are.

Nice! I made the "most compromised public memo key list" woot! woot! Nice to be number one at something, LOL. ;)

Thanks for the good information! This subject is confusing. I'm not particularly worried in my case since the memo field is not used by much yet and all the memos are publicly available at this point. However, if the private key was compromised I would be more concerned.

My memo's aren't particularly juicy or interesting but now that I know this information perhaps I can get a bit more creative with them.

But if there (settings, permissions) would be in some mysterious way private key instead of public would you see that when copying and pasting?

Man, I really appreciate this information. The only thing I'm a bit confused about is how to change the keys? I only see an option to change the master key (password,) or does that change all of the keys?

Also I'm assuming from this post that you don't recommend using any of the automation services like Streemian that require your key permissions to operate?

Again, thanks for the valuable information.

If you change the master key, all others would be changed as well.

You can use other Steem Aps and your key to log in, but don't put it anywhere where it will become public.

Ok. I'm really grateful to know this information. I am four days here on Steemit and I read one of those incorrect guides that you listed above saying to paste the private memo key in the transfer. Have you talked to the creators of those tutorials? They're quite harmful for newbies that don't know any better, and I bet the authors would edit their posts if you reached out to them. Thanks for looking out for other Steemians my friend

Thank you very much. I was not aware of. Changed the password, something else needs to be done?

Nope, that's all.

Thank you)

Thanks @lukmarcus for this article. I think I read on of those Steemit articles you listed and I thought I was doing my transfers into Steemit correctly. Thanks for enlightening us on the fact that the Memo field is a note field, not a field for my Memo Key. Keep up the good work!!

The NSFW setting is stored in Local Storage of web browser. This way I can have it enabled at home and disabled at work. That's nice :)

Congratulations @lukmarcus! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments received

Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

What's wrong with using public keys? Aren't public keys already available to the public?

They are available to the public, yes, but most people simply paste them into MEMO field without thinking and if there would be a private key, they would also paste it.

True that! I was talking to someone who had pasted the public memo key into the memo field and when I told her why did you do that? She said she wasn't sure and she was going to paste the private memo key at first. To be honest, I think the dev team here is to be blamed. Why choose the same name, that is "memo" for two completely different fields? One that is public and one that is meant to be private?