IMPORTANT !!! Vulnerability in password protection for accounts by smi

vulnerability · @smi · Mar 13 '17 (edited)

$3.56

IMPORTANT !!! Vulnerability in password protection for accounts

It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account  has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account"

I think it's not difficult to do, do not even need to edit the blockchain.

Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook.

I have already told golos.io about this vulnerability and it will be fixed.
I apologize for my bad English, my telegram `@dikanevn`
http://elizabethcorreia.com/newsite/wp-content/uploads/2016/12/Vulnerability-.jpg

@abit @furion I do not know who else to note

👍 liondani, tamim, pfunk, thecryptofiend, abit, roelandp, lukestokes, hanshotfirst, twinner, tuck-fheman, timcliff, shaka, wang, dwinblood, kenny-crane, fyrstikken, heiditravels, good-karma, gargon, pgarcgo, titusfrost, renzoarg, albertogm, steempire, elyaque, franks, jacobtothe, pollux.one, ocrdu, jgcastrillo19, steemperor, remlaps, stranger27, wartrapa, titin, beers, uwelang, freiheit50, runridefly, ksena, animal-shelter, emilhoch, filotasriza3, juanmiguelsalas, ivan-perez-anies, proctologic, len.george, ipumba, aniestudio, wagnertamanaha, pairmike, ambyr00, sqube, luisucv34, karenmckersie, michaellamden68, gomeravibz, ogochukwu, jamesjarman, barrydutton, richardcrill, giantbear, ubg, bellastella, and 53 others

`post_id`	2,141,034
`author`	smi
`permlink`	important-vulnerability-in-password-protection-for-accounts
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "format": "markdown", "users": ["abit", "furion"], "image": ["http://elizabethcorreia.com/newsite/wp-content/uploads/2016/12/Vulnerability-.jpg"], "tags": ["vulnerability", "steem", "steemit", "security"]}"
`created`	2017-03-13 20:54:15
`last_update`	2017-03-13 21:10:00
`depth`	0
`children`	8
`net_rshares`	9,008,641,488,950
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	2.749 SBD
`curator_payout_value`	0.812 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.001 SBD
`body_length`	857
`author_reputation`	427,672,289,026
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (117)

voter	rshares	pct
abit	621,384,886,201	1%
liondani	1,964,868,117,314	100%
wang	154,053,254,975	1%
pfunk	953,352,591,031	100%
pairmike	3,737,958,176	1%
proctologic	4,028,992,676	1%
abcd	87,932,371	1%
tuck-fheman	308,355,884,506	100%
konelectric	510,228,537	1%
brindleswan	684,788,818	2.29%
ivan-perez-anies	5,939,639,341	25%
forrestwillie	597,908,215	1%
thecryptofiend	753,754,489,073	100%
juanmiguelsalas	6,384,807,170	25%
kenny-crane	117,930,029,354	100%
andrei	242,328,966	1%
albertogm	31,851,397,475	100%
lukestokes	487,383,116,040	100%
fyrstikken	105,074,990,237	5%
grey580	374,687,458	1%
michaellamden68	1,946,805,952	100%
heiditravels	102,883,539,987	25%
good-karma	85,691,029,823	23%
roelandp	496,253,121,697	100%
stranger27	12,861,313,137	100%
elyaque	30,519,876,505	25%
jamesjarman	1,705,888,096	1%
dwinblood	129,163,157,037	100%
juvyjabian	782,209,269	1%
karenmckersie	2,161,992,189	1%
luisucv34	2,578,125,752	25%
rouketas	58,836,887	100%
ubg	1,178,100,212	3%
mysteem	633,958,275	23%
happyphoenix	141,993,668	4.59%
emilhoch	6,975,484,296	100%
remlaps	14,557,014,549	100%
shaka	173,347,448,111	25%
dirty.hera	55,791,181	23%
gomeravibz	1,766,167,983	1%
twinner	358,007,951,186	25%
timcliff	183,661,870,547	100%
timelapse	463,275,835	1%
ipumba	3,846,353,350	100%
gargon	48,962,722,819	25%
pgarcgo	38,162,259,609	25%
wartrapa	12,810,511,491	25%
darthnava	418,893,272	1%
hanshotfirst	469,642,273,312	100%
matrixdweller	450,140,231	1%
demo	81,487,806	23%
albagargon	216,809,494	25%
lasseehlers	355,163,286	1%
franks	27,508,956,720	100%
runridefly	7,240,094,662	14%
barrydutton	1,693,364,851	1%
pollux.one	21,345,826,806	25%
steemitguide	589,822,942	1%
uwelang	8,964,547,907	20%
richardcrill	1,458,102,085	1%
titin	12,289,359,267	25%
ksena	7,149,805,375	100%
smi	161,484,243	100%
titusfrost	38,045,253,847	100%
jacobtothe	22,597,169,356	100%
renzoarg	35,565,039,791	100%
finleyexp	173,405,904	23%
patelincho	222,275,614	1%
feruz	80,642,346	23%
jgcastrillo19	19,337,869,837	25%
juliamateo	586,059,974	25%
ocrdu	20,899,612,246	50%
teo	805,258,783	25%
surpassinggoogle	334,384,361	1%
dianargenti	208,213,359	1%
alfredozofio	832,043,637	25%
freiheit50	8,582,340,459	25%
beers	10,995,883,166	25%
dulcinea	1,104,233,320	25%
giantbear	1,309,380,539	1%
stray	443,402,573	1%
daisyd	326,220,045	1%
sqube	2,976,473,829	1%
whatageek	900,358,574	1%
esteemapp	83,729,165	23%
wagnertamanaha	3,750,475,341	100%
steemperor	17,464,207,680	25%
steempire	31,109,605,808	25%
reisman	486,552,503	23%
bellastella	1,143,048,437	25%
aniestudio	3,792,311,939	25%
seablue	1,025,242,072	1%
meysam	555,394,443	1%
tamersameeh	590,074,742	100%
driptorchpress	86,895,212	1%
roma-nt	182,168,276	23%
tamim	963,729,919,169	25%
steemcenterwiki	525,786,792	100%
loreennaa	733,615,903	25%
thedeplorable1	635,940,779	1%
bounties	154,843,184	23%
steempoll	117,060,932	23%
ogochukwu	1,751,586,299	23%
len.george	4,018,777,988	100%
denmarkguy	495,631,175	1%
mestyz	60,777,706	100%
animal-shelter	6,999,833,473	100%
filotasriza3	6,802,987,320	100%
cwatch	115,282,287	1%
ambyr00	3,016,432,704	23%
teacher	65,683,108	25%
evildeathcore	147,265,630	23%
misalen	562,473,768	100%
mycryptomark	60,659,981	1%
fluffybunny	368,476,103	100%
toxicftw	50,977,583	100%
taz77	291,290,252	100%

@abit · Mar 13 '17

$0.02

Good point.

👍 furion, seraph, afew, smi, alittle, wordsword
👎 htooms

`post_id`	2,141,595
`author`	abit
`permlink`	re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t221033371z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-13 22:11:36
`last_update`	2017-03-13 22:11:36
`depth`	1
`children`	1
`net_rshares`	183,790,440,461
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.021 SBD
`curator_payout_value`	0.001 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	11
`author_reputation`	111,629,191,115,088
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (7)

voter	rshares	pct
afew	4,028,565,025	10%
alittle	156,019,344	20%
furion	282,938,632,957	100%
seraph	4,679,027,776	100%
smi	161,484,243	100%
wordsword	0	0%
htooms	-108,173,288,884	-100%

@jacobtothe · Mar 13 '17 (edited)

What do you know. There is an active user behind the flags.

Would you be willing to un-flag my posts please?

👍 steemitqa, steemspeak

`post_id`	2,141,765
`author`	jacobtothe
`permlink`	re-abit-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t223450423z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-13 22:34:54
`last_update`	2017-03-13 23:00:15
`depth`	2
`children`	0
`net_rshares`	376,139,834
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	109
`author_reputation`	124,292,362,915,131
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
steemitqa	0 B		196,866,346	1%
steemspeak	0 B		179,273,488	0.01%

@furion · Mar 13 '17 (edited)

afaik, there is an email notification service in development that will address this and other cases.

Thank you for bringing it up.

👍 smi

`post_id`	2,141,688
`author`	furion
`permlink`	re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t222508750z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-13 22:25:09
`last_update`	2017-03-13 22:27:42
`depth`	1
`children`	5
`net_rshares`	161,484,243
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	131
`author_reputation`	116,591,440,117,983
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
smi	0 B		161,484,243	100%

@hanshotfirst · Mar 13 '17

Hi. I am not sure how to tell if there is a problem. I went to "stolen account recovery". If all is well, what message will I see there?

Thank you

👍 steemspeak, smi

`post_id`	2,141,715
`author`	hanshotfirst
`permlink`	re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t222852796z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-13 22:28:51
`last_update`	2017-03-13 22:28:51
`depth`	2
`children`	1
`net_rshares`	340,757,731
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	147
`author_reputation`	503,758,308,712,084
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
smi	0 B		161,484,243	100%
steemspeak	0 B		179,273,488	0.01%

@smi · Mar 13 '17

Your Recovery account	- steem. All is well. https://steemd.com/@hanshotfirst

properties (22)

`post_id`	2,141,772
`author`	smi
`permlink`	re-hanshotfirst-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t223612657z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "links": ["https://steemd.com/@hanshotfirst"], "tags": ["vulnerability"]}"
`created`	2017-03-13 22:36:12
`last_update`	2017-03-13 22:36:12
`depth`	3
`children`	0
`net_rshares`	0
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	76
`author_reputation`	427,672,289,026
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@pfunk · Mar 14 '17

A message/alert on Steemit itself, in addition to an email, would be a good measure. I think a lot of people use application-specific email addresses to register on Steemit and probably don't check them often or at all.

👍 smi

`post_id`	2,143,619
`author`	pfunk
`permlink`	re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170314t042721713z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-14 04:27:24
`last_update`	2017-03-14 04:27:24
`depth`	2
`children`	2
`net_rshares`	161,484,243
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	219
`author_reputation`	208,395,764,935,287
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
smi	0 B		161,484,243	100%

@furion · Mar 14 '17

Good point.

properties (22)

`post_id`	2,144,528
`author`	furion
`permlink`	re-pfunk-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170314t081718981z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-14 08:17:18
`last_update`	2017-03-14 08:17:18
`depth`	3
`children`	0
`net_rshares`	0
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	11
`author_reputation`	116,591,440,117,983
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@renzoarg · Mar 15 '17

E-mail is an already archaic technology. What about people that used disposable e-mails? (It turns out that cryptoenthusiasts are also fanatics of never disclosing personal data to anyone).

Perhaps using a signed message from another key could be used (a configurable bitcoin wallet, perhaps?)
<blockquote>To change (whatever), please sign this message with (BTC address; that should also require a signed message to be changed):<br />
<blockquote>"Change the data of my account: TIMESTAMP"</blockquote></blockquote>

properties (22)

`post_id`	2,151,770
`author`	renzoarg
`permlink`	re-pfunk-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170315t071601388z
`category`	vulnerability
`json_metadata`	"{"app": "steemit/0.1", "tags": ["vulnerability"]}"
`created`	2017-03-15 07:16:03
`last_update`	2017-03-15 07:16:03
`depth`	3
`children`	0
`net_rshares`	0
`last_payout`	2017-04-14 04:03:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	517
`author_reputation`	62,934,514,884,081
`root_title`	"IMPORTANT !!! Vulnerability in password protection for accounts"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000