Attention Bitshares DEX Users! READ THIS - Your accounts may be vulnerable!

in #bitshares7 years ago (edited)

Are account keys be the same?

Today on the Bitshares Hangout, Alex brought to the community's attention that many Bitshares accounts are vulnerable. If your owner key, active key, and memo keys are the same, then your account could be vulnerable.

Some 3rd party applications, ask for your active and memo private keys as a part of authentication. If you ever shared this, then you account is vulnerable, if all the keys match.

To check if the keys are different, go to https://cryptofresh.com and lookup your account.

enter image description here

How to change your keys

A fellow steemian, @sschiessl ,wrote an excellent article on how to change your keys.

Check your accounts immediately and make the necessary changes.

Thanks,

@pairmike

Please Remember to UpVote - ReSteem - Comment


Are you an EOS token holder? Vote for Block Producer - CSX-EOS


Support Me By Shopping at Amazon

Sort:  

My active and memo keys are the same but my owner key is different. Does that mean I’m okay?

Are accounts impacted differently if they have a local wallet rather than a web-based account?

I was under the impression that having a local wallet meant I was pretty safe: that someone would need my password and be using my computer to access my wallet. True or false?

Thanks

Same here too.

From OpenLedger’s knowledge base, defining the difference between wallet and account (cloud-based) models at https://openledger.freshdesk.com/support/solutions/articles/33000202644-what-are-the-differences-between-account-and-wallet-model-

“Being more secure than the account model, the wallet model is restricted to your current browser and device. To use the wallet in another browser or device, you need to import the wallet backup file or brainkey.”

This seems to confirm my earlier statement on security of the local wallet. I have not found anything else out yet.

Same here, should we do something?

same here, too. I have the same question as @cannonball6

10 steem tip for the one who can answer ;)

If your active key and your memo keys are the same and you have shared your private memo key, then your account is still vulnerable.

Say for instance, I created a website and asked you to enter your private memo key, I could then transfer your funds. That’s because your memo private key is the same as your private active key. Active keys give you the right to buy/sell/deposit/withdraw funds.

The owner keys provides this same access in addition to changing your password.

My owner, active, and memo keys were the same, so I changed my owner and active keys. Afterwards I can continue to read my memos on previous transactions.

As an alternative changing your keys, you could just create a new account and then transfer your assets from the old account to the new account.

Thanks for your follow up, it is appreciated. I am fairly confident I am okay since I have n ver knowingly given anyone access to any of my private keys, but I wonder if there is a way one could do so unknowingly.

You have highlighted the memo function as a potential vulnerability. The only times I have never included any memo is when making a deposit to Openledger and entering my account name in the memo field. I don’t expect this would create a vulnerability but I would love to be corrected if I’m wrong! Thanks again!

The memo key is a vulnerability if it matches one of your other two keys. If all 3 keys are different, then your account is secure.

Take a look at my answer below.

Thanks Mike...great information...cheers

Great PSA! Thanks @pairmike.

Thanks for the mentioning of my article!

You are very welcome!

Dear All, I sympathize with those users who were affected by the recent hosting provider’s account breach. Though it wasn’t our fault that credentials of some OpenLedger DEX wallets were stolen, resulting in lost crypto assets, I couldn’t stay still. Starting from July 2, our trading platform will launch the Reimbursement Program for such users. Read more in the official announcement at https://dex.openledger.io/access-issue-ol-reimbursement-program. Yours sincerely Ronny Boesing, CEO, OpenLedger ApS.