Moments ago I changed the owner/active/posting/memo keys of ~500 Steem accounts.
I changed their keys to Steemit's key so Steemit can allow these users to regain access via the recovery mechanism they established.
I was able to do this because I was able to guess these account's passwords.
I was able to guess their passwords because of what I would argue is a flaw in Steem's UI. Specifically, it currently allows users-chosen passwords by default. In most applications user-chosen password are not problematic. However, they are problematic in this use-case because a scrambled form of each user's password must be stored on Steem's public blockchain meaning anyone with a copy of the blockchain can mount a large-scale offline dictionary attack to recover them. Research as well as real-world precedent has repeatedly shown that a non-trivial fraction of users are incapable of choosing passwords resistent to offline-attack even when password complexity requirements are enforced.
Forcing machine-generated passwords in the UI for owner/active keys would be one possible step towards mitigation. I'm aware of the usability counter-argument to this suggestion. However, consider that my effort expended ~1 USD of computing resources and ended up recovering the credentials of accounts with liquid assets valued in the thousands and semi-liquid assets (SP) in the tens of thousands. Given this fact, it would be hopelessly naive to assume offline attacks will not be attempted in the future at much greater scale and by totally bad actors.
I invite others with constructive mitigation ideas to share them.
One futher point, unless explicitly invited by Steemit, I will not attempt any future white hat shenanigans. My motivation was to alert this community to a genuine danger and do so in manner that hopefully leaves a more lasting impression than yet another "how to pick a strong password" snorefest post.
Yup, this is exactly what I have been shouting about for weeks now and expected would eventually happen. I am happy that you are a white hat and didn't take control of the accounts for yourself to profit from.
I believe it is better to push away new users with less user friendly registration (that forces them to use a randomly generated key that they must store securely and use password managers to manage) than to bring them aboard easily only to completely piss them off when their account or funds are stolen [1]. It is our job to make it as user-friendly as possible and to provide great resources educating users how to generate and manage random high-entropy passwords. But I don't agree with compromising their security because it is "too hard" and we don't want to lose them as new users.
[1] Although the new recovery feature allows them to get their account back. Most funds are usually locked in the time-locked Steem Power, so hopefully not too much financial damage would be done by the time they recover their account. And there are plans for a user opt-in and configurable time-locked savings account to even protect their more liquid STEEM and Steem Dollar funds from being stolen by hackers assuming they recover their account in a few days.
… we are in needs of a bug bounty program with high rewards, that people are happy to publish the flaws, instead of misusing them for the own profit in the short run! Thank you for being honest and alarming the devs and community - and not run with the money …!
Chapeau !
and tipping is always an option as well - thx again!
I WILL donate/contribute my rewards gotten out of my comments here @robinhood as well, and you guys here should considering to do this as well...if everybody here WILL doing this i'd double the comment payment amount to donate out of my pockets again!
@cass - the largest flaw now in my opinion is that overgrowing "tag-spamming" people do. When you have for example in top 12 of "marijuana" topic just 3 related ones the platform has a massive problem. This get worse hour by our and people tag nearly all their posts wrong.
@wackou - thanks for your upvote... I wrote a article today of the topic. It would be a real interesting thing what a whale (like you) say to the actual situation as you too think tag-spam get a real pain. Would be great to get some words from you:
https://steemit.com/money/@hastla/why-whales-and-dolphins-have-to-start-work-for-steemit-or-lose-their-whole-investment
Happy to introduce anyone to Jacob at Cobalt - best bug bounties with a specialization in cryptocurrency companies.
first official STEEM LOTTERY https://steemit.com/lottery/@willytrader/first-official-steem-lottery
This is someting i'm really concerned about arhag, do you have any information i can use at the moment to protect myself further?
I do actually. I just wrote this post about the importance of using password managers.
Thank you arhag, I had a look and have infact been using lastpass, but i've found a few issues it seems to be interfering with things, for example on bittrex it keeps trying to autocomplete the boxes in which I write trade values, so I had to turn it off. do you know any work around for this or perhaps an alternative? cheers.
I don't use LastPass so I can't give you specific instructions. But you should be able to disable its autofill functionality on specific websites that it has trouble with, while still taking advantage of it on nearly every other website. It may also be possible to manually fix the issue specifically for the Bittrex site so that you can even still use autofill on its website without having LastPass autofill in the wrong boxes.
This link may be helpful:
https://lastpass.com/support.php?cmd=getfeaturefaq&feature=feataure_4
Amazing work and really making a difference in how we all move forward in the world.
hi @arhag, please check my latest post out. I wrote it to you and the other whales. Maybe you will agree with it :)
https://steemit.com/steemit/@steemitpolitics/6rqxnc-to-the-whales-get-your-head-out-of-your-ass-and-vote-good-content-up-you-are-harming-steemit
I will upvote every White Hat hackers post that will help us secure more our platform! And I hope that will give them the motivation to continue working for our security!
Upvoting for visibility (and the Spaceballs reference), but not without much conflict. More people need to understand how serious password security is and the need for a good password manager. At the same time, I don't want to condone grey hat activity.
There were other ways to handle this that would have been true white hat. You could have checked those 500~ passwords, verified them, and then contacted the Steemit team privately. I've been posting in the Slack channel about the need for a private bug bounty program like Bugcrowd for exactly that purpose. There should also be an easy to find ethical disclosure procedure.
In this case, however, was it really Steemit's fault or a PEBKEC (Problem Exists Between Keyboard and Chair)? All attempts at creating idiot proof software fail as better idiots are produced.
I hope you can work with the Steemit team in an ethical manner in the future. I know I'm coming across as judgemental here, and it's possible you actually saved a lot of people from a lot of trouble. It still just feels wrong. Either way, I wouldn't want to get on your bad side. :)
I don't fault the OP. This is a classic scenario where you don't fully comprehend the gravity unless it happens. I also like the fact that the OP is being financially compensated for his discovery. I hired my first CTO after he rooted our mail server!
You might be right, Bill. I guess I'm just much more comfortable with white hat activities. We use BugCrowd for FoxyCart and have been very happy with the professionalism and ethics of those involved. When something is exposed (thankfully it's almost always some third party system outside of our PCI environment), it's hard not to take it very seriously. From what I've seen of the team here so far, I think they would have taken a white hat approach seriously also. But... maybe not. As I said, whether or not I like it, this approach may have saved quite a few people from even more frustration.
can you get in touch with me on the slack channel?
(my name there is also liondani)
It is about a steemit user they "lost" his owner key and needs desperately help @tonyson (lost owner key) now he posts under his new account @hien-tran read his post about the "hack" https://steemit.com/steemit/@hien-tran/i-wonder-if-you-could-help-me-with-my-account
co-founder of steemit @ned encouraged him to get in touch with you and that was a great idea in my opinion (I don't know if the reached already to you,his English are poor) I will appreciate it very much if you helped him "recover" his keys.... It is obvious that the funds he has lost are significant for him (he lives with his little Son in Vietnam).... I can Imagine it will change his life if he can have access to his funds! Thanks in advance and please make a post about it so we can tip you for helping a dedicated community member. Thanks
Sorry but I can't help this user - I checked my logs and @tonyson was not one of the accounts that I updated.
The accounts I updated had their keys changed to either
STM7kyb6WK6Sg9Eu4uu7WGqjYdqJzdBeKEWVDaDEKsgvhvESJZ1vM
orSTM65wH1LZ7BfSHcK69SShnqCAH5xdoSZpGkUjmzHJ5GCuxEK9V5G
which are the owner keys for @steemit and @steemit3 respectively.robinhood, can you send me an email ned at steemit dot com
Sure. Sent you a message a moment ago. May hit your spam folder since it just said "hi".
I can say nothing here except thank you! This really should be the most upvoted topic of the day. Here's an upvote from me!
Nice job and thanks!
Hm. I vote that you continue to do this and make posts about how you did it, and what recommendations you made.
I promise I will upvote you every time I see it :P
You're the first white hat I've seeing doing these sorts of white hat things in crypto since I got in the game a year ago!
Thank for a great whitehat hack @robinhood
People need to READ THIS AND TAKE SECURITY SERIOUSLY!!!!
https://steemit.com/steemit/@fyrstikken/steemit-security-exchanges-and-why-by-a-guy-that-has-been-in-crypto-since-2009-new-people-read-this-now
That's pretty terrifying, and it's a good job that you posted this... It hadn't occurred that of course hashed passwords are going to be freely available offline because in using a web UI you're used to the assumptions of a traditional web model.
Good on you (assuming you did what you said) for just reassigning back to Steemit. Sounds like we do really need 2FA or generated only passwords... It's a shame that browser tooling around SSL client certs is so user unfriendly, having a client cert as a per-browser alternative to the generated password would be a good way of removing the usability barrier. Users would obviously still have to store their password but they could use the installed client cert for day-to-day auth and just use the password for requesting new certs for new devices.
This is why I proposed 2FA. I understand 2FA is hard to implement on the blockchain but as the saying goes "when there is a will there is a way". I feel very unsafe on this platform without 2FA. Please read this https://steemit.com/steemit/@domavila/two-factor-authentication-and-why-we-need-it-now
Very interesting, so is this just a problem with user-generated passwords?
Thanks
CG
I dug into the code for the "suggest password" option Steem provides at signup and as far as I could tell the logic there was 100% kosher.
what does that mean? Was it good?
Yes.
100% kosher = Good
thats a both sided sword. users either wont be able to registr or will loose keys and loose money anyways.
the only way i see is 2FA, still complex but most frienldy from all of this
wow! so basically you hacked 500 accounts and gave the keys back to steemit!?
well good job!
WHY DON'T WE HAVE GOOGLE AUTHENTICATORS?
hopefully leaves a more lasting impression than yet another
The SpaceBalls is the my favorite movie :)
Hopefully steemit will realize this is something of HIGH relevance and importance, since most of the people don't know how to pick passwords (and most of those also use the same password for many identities: mail, facebook, and more). Thanks for your post, very appreciated!
upvote back the ones that upvote you
im actually kind of suprised. When they said that the hacker had private keys, i was thinking he could hashcat them to get passwords... but i figured with 16 characters that would take an unreasonable amount of time.
I figured with a 16 digit password even the weakest passwords would be relatively hard to guess... though i do support 2FA
I think this is probably good to get such simple things done during the child life of a crypto less we have a dao scandal on steem in a year. lol
Its a cool concept, but I'm sorry, I call BS.
I have looked at the code that handles hashing, salting and encrypting passwords before they are placed into the block chain and I can say with 99.5% certainty that you did not accomplish the hack you claim to have.
In theory it is possible, but the computational complexity of uncovering even 1 of the passwords from the blockchain would be more difficult that mining the largest amount held by any user on the block chain.
Sorry to hurt your feelings and call you out, but if you are to fool this community you are going to need to prove that you a. have the knowledge required to mount such a large scale offline attack, and b. you would have mentioned the actual difficulty of doing so.
They didn't claim to crack any hashing algorithm. A dictionary attack simply goes through a dictionary of possible passwords and tries each one until it finds a matching hash. Might want to reconsider that 0.5% chance.
Thanks, I guess?
i changed it now
Holy crap I'm glad you guys are a lot smarter than I am.
great to see someone getting on the topic and doing something about it, this was completely necessary
http://keepass.info/
Steemit will grow bigger as a community. And with monetary rewards involved, we should expect and, maybe even accept people with different views and beliefs and motives.
From this post, it might just spell the beginning for many exciting things to happen here. Wherever exists blackhats, we just pray hard more whitehats appear. With the increasing popularity, this community will definitely grow, and perhaps its a good sign that @robinhood is here, helping us in his own ways.
Even though, it indeed is wiser to leave the 'bad guys' to the 'cops'(devs), but i guess it doesn't suck if we have a @robinhood around that we can trust, as this community grows.
To the whitehats around!
@robinhood : you are just awesome. I cannot think about how much the steem community and especially the developers need to thank you. You are incredible. Thanks for that.
Anyone have a recommended method of machine-generating a password?
Thanks a lot for the words of advice. Namaste :)
Up vote for space balls photo
Keep up the good work!!
I'm glad you didn't do anything malicious with this great power. Key management when left to the general public is likely dangerous. Hopefully if they lose money once, they'll learn their lesson.
Do the new 32 chars password requirement will prevent any future dictionnary attack ?
Look at you, so young and carefree :-)
Amazing work and really making a difference in how we all move forward in the world.
Congratulations @robinhood! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
TBH, i think this is a pretty shitty thing to do. It definitely isnt ethical hacking, and one can only hope that the owners pursue legal measures if your claims are true.
I agree with your point.. but i dont think you should be fucking with other peoples money to make it.
Sigmajin, based on this comment and your last, I'm not sure you 100% understand the situation.
OK, i was a little pissy bittrex is fucking with my money.
anyway
1 yeah, i get that the private key obviates the need for the password here... my concern at the time was that after the users got their accounts back, the hacker could take the key, work their way backward to the users password, then use that password to attack other accounts.
2 SO what happens if the value of their assets decreases by 50% while theyre messing around with password recovery?
3 You could have proved your point by contacting tptb with the password list. Or upvoting this post.. or running some kind of script to make them all post horse pornography every few hours until they changed their password.
I know if it happened to me, id be pissed (even though i dont keep a ton of money here)... i guess im not behind it but i realize it was well intentioned.
Also
yeah, dk if you saw my post pointing it out but i think the 7-14 attack came from @goodgame... the script he was using is still in all of his posts if its him, and the domain it was pinging (steemit.uk) was regged that day. https://steemit.com/doyourpart/@sigmajin/um-this-guy-is-trying-to-do-something-bad-right
I'm actually shocked by this. There is really no legal distinction between "white hats" and "black hats". Nobody gave "robinhood" permission to hack 500 Steemit accounts. "robinhood", in fact, did "take the money"... since only "robinhood" now has access to these funds.
Incorrect, as I stated in my post, I updated these accounts to Steemit's key (not my key) so only Steemit has access to the funds. This fact can be verified by inspecting the blockchain.
The hacker is a scumbag and should get his legs broken or worse. Quit treating him like a Knight in Shining armor.. He is nothing but lowlife gutter scum who caused a lot of people a lot of problems. Thou shall not steal. OP is nothing but an attention whore.
make sure everyone participates in the first steemit lottery
https://steemit.com/money/@nabilov/the-first-steem-lottery-hosted-by-member-nabilov#comments