It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account" I think it's not difficult to do, do not even need to edit the blockchain. Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook. I have already told golos.io about this vulnerability and it will be fixed. I apologize for my bad English, my telegram `@dikanevn` http://elizabethcorreia.com/newsite/wp-content/uploads/2016/12/Vulnerability-.jpg @abit @furion I do not know who else to note
post_id | 2,141,034 |
---|---|
author | smi |
permlink | important-vulnerability-in-password-protection-for-accounts |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "format": "markdown", "users": ["abit", "furion"], "image": ["http://elizabethcorreia.com/newsite/wp-content/uploads/2016/12/Vulnerability-.jpg"], "tags": ["vulnerability", "steem", "steemit", "security"]}" |
created | 2017-03-13 20:54:15 |
last_update | 2017-03-13 21:10:00 |
depth | 0 |
children | 8 |
net_rshares | 9,008,641,488,950 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 2.749 SBD |
curator_payout_value | 0.812 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.001 SBD |
body_length | 857 |
author_reputation | 427,672,289,026 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
abit | 0 | 621,384,886,201 | 1% | ||
liondani | 0 | 1,964,868,117,314 | 100% | ||
wang | 0 | 154,053,254,975 | 1% | ||
pfunk | 0 | 953,352,591,031 | 100% | ||
pairmike | 0 | 3,737,958,176 | 1% | ||
proctologic | 0 | 4,028,992,676 | 1% | ||
abcd | 0 | 87,932,371 | 1% | ||
tuck-fheman | 0 | 308,355,884,506 | 100% | ||
konelectric | 0 | 510,228,537 | 1% | ||
brindleswan | 0 | 684,788,818 | 2.29% | ||
ivan-perez-anies | 0 | 5,939,639,341 | 25% | ||
forrestwillie | 0 | 597,908,215 | 1% | ||
thecryptofiend | 0 | 753,754,489,073 | 100% | ||
juanmiguelsalas | 0 | 6,384,807,170 | 25% | ||
kenny-crane | 0 | 117,930,029,354 | 100% | ||
andrei | 0 | 242,328,966 | 1% | ||
albertogm | 0 | 31,851,397,475 | 100% | ||
lukestokes | 0 | 487,383,116,040 | 100% | ||
fyrstikken | 0 | 105,074,990,237 | 5% | ||
grey580 | 0 | 374,687,458 | 1% | ||
michaellamden68 | 0 | 1,946,805,952 | 100% | ||
heiditravels | 0 | 102,883,539,987 | 25% | ||
good-karma | 0 | 85,691,029,823 | 23% | ||
roelandp | 0 | 496,253,121,697 | 100% | ||
stranger27 | 0 | 12,861,313,137 | 100% | ||
elyaque | 0 | 30,519,876,505 | 25% | ||
jamesjarman | 0 | 1,705,888,096 | 1% | ||
dwinblood | 0 | 129,163,157,037 | 100% | ||
juvyjabian | 0 | 782,209,269 | 1% | ||
karenmckersie | 0 | 2,161,992,189 | 1% | ||
luisucv34 | 0 | 2,578,125,752 | 25% | ||
rouketas | 0 | 58,836,887 | 100% | ||
ubg | 0 | 1,178,100,212 | 3% | ||
mysteem | 0 | 633,958,275 | 23% | ||
happyphoenix | 0 | 141,993,668 | 4.59% | ||
emilhoch | 0 | 6,975,484,296 | 100% | ||
remlaps | 0 | 14,557,014,549 | 100% | ||
shaka | 0 | 173,347,448,111 | 25% | ||
dirty.hera | 0 | 55,791,181 | 23% | ||
gomeravibz | 0 | 1,766,167,983 | 1% | ||
twinner | 0 | 358,007,951,186 | 25% | ||
timcliff | 0 | 183,661,870,547 | 100% | ||
timelapse | 0 | 463,275,835 | 1% | ||
ipumba | 0 | 3,846,353,350 | 100% | ||
gargon | 0 | 48,962,722,819 | 25% | ||
pgarcgo | 0 | 38,162,259,609 | 25% | ||
wartrapa | 0 | 12,810,511,491 | 25% | ||
darthnava | 0 | 418,893,272 | 1% | ||
hanshotfirst | 0 | 469,642,273,312 | 100% | ||
matrixdweller | 0 | 450,140,231 | 1% | ||
demo | 0 | 81,487,806 | 23% | ||
albagargon | 0 | 216,809,494 | 25% | ||
lasseehlers | 0 | 355,163,286 | 1% | ||
franks | 0 | 27,508,956,720 | 100% | ||
runridefly | 0 | 7,240,094,662 | 14% | ||
barrydutton | 0 | 1,693,364,851 | 1% | ||
pollux.one | 0 | 21,345,826,806 | 25% | ||
steemitguide | 0 | 589,822,942 | 1% | ||
uwelang | 0 | 8,964,547,907 | 20% | ||
richardcrill | 0 | 1,458,102,085 | 1% | ||
titin | 0 | 12,289,359,267 | 25% | ||
ksena | 0 | 7,149,805,375 | 100% | ||
smi | 0 | 161,484,243 | 100% | ||
titusfrost | 0 | 38,045,253,847 | 100% | ||
jacobtothe | 0 | 22,597,169,356 | 100% | ||
renzoarg | 0 | 35,565,039,791 | 100% | ||
finleyexp | 0 | 173,405,904 | 23% | ||
patelincho | 0 | 222,275,614 | 1% | ||
feruz | 0 | 80,642,346 | 23% | ||
jgcastrillo19 | 0 | 19,337,869,837 | 25% | ||
juliamateo | 0 | 586,059,974 | 25% | ||
ocrdu | 0 | 20,899,612,246 | 50% | ||
teo | 0 | 805,258,783 | 25% | ||
surpassinggoogle | 0 | 334,384,361 | 1% | ||
dianargenti | 0 | 208,213,359 | 1% | ||
alfredozofio | 0 | 832,043,637 | 25% | ||
freiheit50 | 0 | 8,582,340,459 | 25% | ||
beers | 0 | 10,995,883,166 | 25% | ||
dulcinea | 0 | 1,104,233,320 | 25% | ||
giantbear | 0 | 1,309,380,539 | 1% | ||
stray | 0 | 443,402,573 | 1% | ||
daisyd | 0 | 326,220,045 | 1% | ||
sqube | 0 | 2,976,473,829 | 1% | ||
whatageek | 0 | 900,358,574 | 1% | ||
esteemapp | 0 | 83,729,165 | 23% | ||
wagnertamanaha | 0 | 3,750,475,341 | 100% | ||
steemperor | 0 | 17,464,207,680 | 25% | ||
steempire | 0 | 31,109,605,808 | 25% | ||
reisman | 0 | 486,552,503 | 23% | ||
bellastella | 0 | 1,143,048,437 | 25% | ||
aniestudio | 0 | 3,792,311,939 | 25% | ||
seablue | 0 | 1,025,242,072 | 1% | ||
meysam | 0 | 555,394,443 | 1% | ||
tamersameeh | 0 | 590,074,742 | 100% | ||
driptorchpress | 0 | 86,895,212 | 1% | ||
roma-nt | 0 | 182,168,276 | 23% | ||
tamim | 0 | 963,729,919,169 | 25% | ||
steemcenterwiki | 0 | 525,786,792 | 100% | ||
loreennaa | 0 | 733,615,903 | 25% | ||
thedeplorable1 | 0 | 635,940,779 | 1% | ||
bounties | 0 | 154,843,184 | 23% | ||
steempoll | 0 | 117,060,932 | 23% | ||
ogochukwu | 0 | 1,751,586,299 | 23% | ||
len.george | 0 | 4,018,777,988 | 100% | ||
denmarkguy | 0 | 495,631,175 | 1% | ||
mestyz | 0 | 60,777,706 | 100% | ||
animal-shelter | 0 | 6,999,833,473 | 100% | ||
filotasriza3 | 0 | 6,802,987,320 | 100% | ||
cwatch | 0 | 115,282,287 | 1% | ||
ambyr00 | 0 | 3,016,432,704 | 23% | ||
teacher | 0 | 65,683,108 | 25% | ||
evildeathcore | 0 | 147,265,630 | 23% | ||
misalen | 0 | 562,473,768 | 100% | ||
mycryptomark | 0 | 60,659,981 | 1% | ||
fluffybunny | 0 | 368,476,103 | 100% | ||
toxicftw | 0 | 50,977,583 | 100% | ||
taz77 | 0 | 291,290,252 | 100% |
post_id | 2,141,595 |
---|---|
author | abit |
permlink | re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t221033371z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-13 22:11:36 |
last_update | 2017-03-13 22:11:36 |
depth | 1 |
children | 1 |
net_rshares | 183,790,440,461 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.021 SBD |
curator_payout_value | 0.001 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 11 |
author_reputation | 111,629,191,115,088 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
afew | 0 | 4,028,565,025 | 10% | ||
alittle | 0 | 156,019,344 | 20% | ||
furion | 0 | 282,938,632,957 | 100% | ||
seraph | 0 | 4,679,027,776 | 100% | ||
smi | 0 | 161,484,243 | 100% | ||
wordsword | 0 | 0 | 0% | ||
htooms | 0 | -108,173,288,884 | -100% |
What do you know. There is an active user behind the flags. Would you be willing to un-flag my posts please?
post_id | 2,141,765 |
---|---|
author | jacobtothe |
permlink | re-abit-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t223450423z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-13 22:34:54 |
last_update | 2017-03-13 23:00:15 |
depth | 2 |
children | 0 |
net_rshares | 376,139,834 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 109 |
author_reputation | 124,292,362,915,131 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
steemitqa | 0 | 196,866,346 | 1% | ||
steemspeak | 0 | 179,273,488 | 0.01% |
afaik, there is an email notification service in development that will address this and other cases. Thank you for bringing it up.
post_id | 2,141,688 |
---|---|
author | furion |
permlink | re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t222508750z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-13 22:25:09 |
last_update | 2017-03-13 22:27:42 |
depth | 1 |
children | 5 |
net_rshares | 161,484,243 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 131 |
author_reputation | 116,591,440,117,983 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
smi | 0 | 161,484,243 | 100% |
Hi. I am not sure how to tell if there is a problem. I went to "stolen account recovery". If all is well, what message will I see there? Thank you
post_id | 2,141,715 |
---|---|
author | hanshotfirst |
permlink | re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t222852796z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-13 22:28:51 |
last_update | 2017-03-13 22:28:51 |
depth | 2 |
children | 1 |
net_rshares | 340,757,731 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 147 |
author_reputation | 503,758,308,712,084 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
smi | 0 | 161,484,243 | 100% | ||
steemspeak | 0 | 179,273,488 | 0.01% |
Your Recovery account - steem. All is well. https://steemd.com/@hanshotfirst
post_id | 2,141,772 |
---|---|
author | smi |
permlink | re-hanshotfirst-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170313t223612657z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "links": ["https://steemd.com/@hanshotfirst"], "tags": ["vulnerability"]}" |
created | 2017-03-13 22:36:12 |
last_update | 2017-03-13 22:36:12 |
depth | 3 |
children | 0 |
net_rshares | 0 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 76 |
author_reputation | 427,672,289,026 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
A message/alert on Steemit itself, in addition to an email, would be a good measure. I think a lot of people use application-specific email addresses to register on Steemit and probably don't check them often or at all.
post_id | 2,143,619 |
---|---|
author | pfunk |
permlink | re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170314t042721713z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-14 04:27:24 |
last_update | 2017-03-14 04:27:24 |
depth | 2 |
children | 2 |
net_rshares | 161,484,243 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 219 |
author_reputation | 208,395,764,935,287 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
smi | 0 | 161,484,243 | 100% |
Good point.
post_id | 2,144,528 |
---|---|
author | furion |
permlink | re-pfunk-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170314t081718981z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-14 08:17:18 |
last_update | 2017-03-14 08:17:18 |
depth | 3 |
children | 0 |
net_rshares | 0 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 11 |
author_reputation | 116,591,440,117,983 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |
E-mail is an already archaic technology. What about people that used disposable e-mails? (It turns out that cryptoenthusiasts are also fanatics of never disclosing personal data to anyone). Perhaps using a signed message from another key could be used (a configurable bitcoin wallet, perhaps?) <blockquote>To change (whatever), please sign this message with (BTC address; that should also require a signed message to be changed):<br /> <blockquote>"Change the data of my account: TIMESTAMP"</blockquote></blockquote>
post_id | 2,151,770 |
---|---|
author | renzoarg |
permlink | re-pfunk-re-furion-re-smi-important-vulnerability-in-password-protection-for-accounts-20170315t071601388z |
category | vulnerability |
json_metadata | "{"app": "steemit/0.1", "tags": ["vulnerability"]}" |
created | 2017-03-15 07:16:03 |
last_update | 2017-03-15 07:16:03 |
depth | 3 |
children | 0 |
net_rshares | 0 |
last_payout | 2017-04-14 04:03:00 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 0.000 SBD |
curator_payout_value | 0.000 SBD |
pending_payout_value | 0.000 SBD |
promoted | 0.000 SBD |
body_length | 517 |
author_reputation | 62,934,514,884,081 |
root_title | "IMPORTANT !!! Vulnerability in password protection for accounts" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 SBD |
percent_steem_dollars | 10,000 |