Testing out new script to combat wallet theft, and when things don't quite go to plan...........................
Last week
@surfermarly had her wallet funds taken when she accidentally entered her private key into the memo field during a transfer.
The culprit is running a script to automatically detect keys entered into this field, and the script likely checks for keys entered in posts and comments.
Following this act of meanness, I wrote a post asking if there was a developer out there who could write a faster script, with the intention of returned the funds to their original owner.
https://steemit.com/steem/@abh12345/can-someone-beat-sami100-to-the-punch
There was a some interest in looking into this from the comments on the post, but I hadn't heard anything more...
Today
I received a notification from @ginabot that I had been tagged in a post. I seem to be getting more and more of these notifications, but as long as the content is relevant to me I don't mind.
Anyway, the post by @reazuliqbal is here, and I resteemed it earlier.
https://steemit.com/busy/@reazuliqbal/introducing-the-noble-bot
Basically, @reazuliqbal has working on my request, and has today introduced @noblebot. Great name btw :)
I commented on his post and we exchanged messages, the script had been tested but not in a live situation. Seeing as I put the request out, I felt obliged to give it a go......
Testing......testing......
Step up @steemzapper, an unused alt account of mine that was created with zappl in mind.
After discussing the process with @reazuliqbal on discord, I logged in with my posting key using @steemzapper and went to the wallet to transfer 0.001 STEEM with my Active Key in the memo field.
And guess what? It seems the steemit.com interface is detecting keys in memo fields and disabling the 'Next' button.
Result!
I'm sure this was in place previously, but no-one confirmed this on my post last week and so I'm still not 100% sure. But anyway, I tested this on Chrome/IE/Firefox and on all 3 browsers, the 'Next' button grays out when a key is spotted.
Nice one @steemit
👍
More testing
@reazuliqbal then informed me that his script also checks for keys that are accidentally pasted into posts and comments. Now, you are going to have to be testing or a little bit crazy to want to do this, and steemit.com have your back here too - sort of:
They will tell you that you are doing it all wrong, but the 'OK' button remains enabled, allowing you to still post a key onto the blockchain.
So what happened when I hit ok?
I used the @steemzapper account to post the following:
https://steemit.com/testing/@steemzapper/good-script-bad-script-who-s-gonna-win
And just 6 seconds after my post entered the BC, 0.001 STEEM and 0.001 SBD were moved from my wallet.
But where did they go? Did @noblebot take them? Was @sami100 quicker?
Nope. @ahh was!
Well we weren't expecting that!
As we were discussing ways to try and speed up @noblebot, and I'm pretty sure @reazuliqbal is working on this at present, I received a transfer, or 3 transfers....
@ahh seems to have been working on a solution too, and returned my funds with an additional 0.001 SBD to tell me he was faster than @sami100 :)
This is pretty cool. We seemingly have at least 2 accounts now that are wearing white hats, and could well be quicker than the bad guys. I'm pretty hopeful that between them, they will do a decent job of preventing lost funds via accidents.
On checking @sami100's account, it looks like he's recently taken more STEEM from other accounts. This makes me think that other applications don't have a restriction in the wallet to enter keys into the memo field. Hopefully these new accounts, @noblebot by @reazuliqbal and @ahh, can beat other evil account/s to the punch next time someone makes a mistake.
Good luck both, and thank you for your work!
Cheers
Asher @abh12345 / Witness @steemcommunity
As @ahh is way faster than @noblebot, it will act as backup for now. I hope I can match @ahh's speed and work side by side.
Drop him a memo? Would be cool for you guys to join up and run 24 hours combating the bad guys, nice job!
He commented on my announcement post, I replied lets see if he gets back. Latency was caused by RPC server but I am improving every bit of code and adding some new functionalities. I am also planning on using another server from a different location. Lets see if that works better.
Sounds good :D
It is great to see that some people took up the challenge, and that it seems to work. Heading over to @noblebot to take a look, and also @reazuliqbal and @ahh pages to poke my nose around their offerings.
Not much to see at @ahh, except in the wallet. And yeah, nice to have some good guys around :)
And the really nice thing is, people don't need to do anything to get the service. Free is always good, almost as good as, I don't need to be tech minded or sign up to get the help, it is just there.
Yeah pretty cool, good to know there's folks around willing to do things like this.
I guess I should be happy that there's a counter to the criminal element, but holy cow this does not make me feel any safer knowing there's a bunch of scripts running around waiting to steal passwords or keys. If the best we can do is beat the bad guy to the punch, then I'm going to need to rethink this whole thing. I know this was a test, and I'm understanding that they can't get to the keys unless they appear somewhere (yet), but none of this really instills much confidence.
The best we can do is not post our keys :)
It's on us in the first instance, but good to see Steemit inc and a couple of white hats on the case.
Super awesome news we've got there. I'm glad that Steemit Inc are working hard in most ways to help curb fraud on their site. Thanks too to the two bots wearing a clean white hats.
Yeah, 2 good pieces of news against this BS, nice!
It's great that these efforts are being made @abh12345 — and what an interestingly unexpected outcome!
This is probably a bigger project that originally estimated... I would image a "version" would have to be created for every possible front end that potentially involves sensitive account keys... there always seems to be a distinct "lag time" between my posting on (for example) Steepshot and the post appearing in my Steemit feed... and a few seconds may be all it takes if the black hat script is pinging the blockchain "live."
=^..^=
Yes the signs look positive, I hope they can get something in place to do this across all interfaces ahead of the bad guys - a good start! :)
That's awesome news Asher! It's so reassuring to know that problems can be solved here :)
Yes it is, I knew that someone would be up to the task, and we've even got two good eggs on the case 😁
@abh12345, there seems to be good eggs popping up all over 😎
I had seen the resteem of @reazuliqbal post and upped it. Great going guys!
question is what's the return threshold :confused:
it's easy to send back 0.001
I'm hoping they will send the lot back!
🤞 :)
That all sounds vry promising @abh1234.
Couldyou explain what you meant by this:
Thanks 😍
Yes I'll get abh1234 to reply to you shortly 😜
I'm thinking perhaps busy.org or another app doesn't have the script to disable the 'next' button - I didn't test there or anywhere else.
Ah I see abh what's his name. You can't expect me not to make any typos. I've had rather a lot of prosecco! 😍
we have to more aware of this and thanks for this writing..
this is something new to me i need to check it out :)
:)
what kind of race it is. I see strange behavior to them thanks have shared a little knowledge of them. ;)
I have chosen you as a witness and happy that you are not proud in discord. :)
I have chosen you as a witness and happy that you are not proud in discord. :)
this post is very different,i choose it.
between black hat and white hat??
bad and good coders/hackers.
We need more people to be BRAVE like you and speak out about this..
thanks for share your experience..
The post you are posting is different from everyone else, so I love you so much that you are working to improve steemit. I want you to be successful.@abh12345
Good to know there are people who have coding skills and are using it for good things. if you have those skills, I guess it’s tempting to use them to enrich yourself. Fortunately there are some good people still around...
That's absolutely great.
It can happen sometimes, we have the keys on the clipboard and it gets copied in the memo.
Great change by steemit development, the next button gets greyed out. Great work Steemit.
Well this can really help a lot on this platform that will be perfect awesome results till now
I once posted a private key used with the STX testnet. There were all these warnings you mentioned in the article. It wont help people with passwords from outside Steem ! Be careful people!