I Found $63,278 of Private Keys on Steemit.com in 10 Minutes!

in #steemit7 years ago (edited)

block private key transmission for steem.png

Will exchanges like Bittrex and Poloniex help warn users against sending a private key in a memo because Steem users are accidentally sharing the posting, active, and even master passwords out in the open almost every day with transfers from exchanges with no ability to undo the mistake outside of changing the master password? We have been talking about this a lot already and I hope my post contributes alongside of those listed below! I took the time to share this today because when I originally read the posts below, I thought it was not that easy for the average user to find and exploit. I wrong! It turns out finding these keys and then using them is incredibly easy and in the comments readers are reporting Steem being stolen within minutes of leaking a key out in memos!

  1. @gtg writes memos, keys and passwords, Balrogs and Fields of Despair. Be safe. Almost $100k wasn't at https://steemit.com/steem/@gtg/memos-keys-and-passwords-balrogs-and-fields-of-despair-be-safe-almost-usd100k-wasn-t
  2. @noisy writes we just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys 😇 So... at https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so
  3. @lukmarcus writes https://steemit.com/security/@lukmarcus/important-security-information-regarding-private-memo-public-keys-and-transfers-with-statistics

The Problem


Users mostly on exchanges are sharing the Steem private posting key, private active key, and master password in memos and I would imagine sometimes in posts or comments also. These keys are being shared almost every day by a different user and often frequently by the same users.

In 10 minutes, I found $63,278 worth of Steem private keys out in the open! What is remarkable is how easy these were for me to find without even planning to look once I saw the first private key and recognized what it was! Unlike the sophistication in previous posts showing how tools were used to search the entire blockchain, I was able to find all of these keys without leaving steemit.com as soon as I noticed the first one. In fact, I probably missed 80% of the private keys using my very basic find procedure.

If a hacker chose to actively check the Steem blockchain for this loophole, it might be possible to steal of hundreds if not thousands of dollars of Steem and SBD every day along with initiating power downs, making posts, creating comments, and using voting power. If a hacker was to have a sense of humor in the process of cleaning the accounts out, the private keys could be used to set auto upvoters which would quickly provide a whale size upvote when combined with the keys being shared every day plus the ones that have already been shared. The hacker could even make posts on all of the accounts and troll comments or employ a bot network to use all the accounts together.

The Solution


To help the users I found fix the breach, I contacted all of the users I found private keys for yesterday and asked each to change the master password to reset the keys and secure the accounts. While I have a spreadsheet with the names of the users and the amount of Steem at risk, I am not sharing them here because within 24 hours, I am happy to see $53,271 of the Steem at risk through leaked keys has been secured through changing the master password. We can see when a master password was last changed on any account by viewing each account on https://steemd.com/ and checking the owner update for that user. While many keys are only for posting, these also might be the most difficult to detect problems with if a hacker set an auto upvoter might cause more problems than losing a bit of Steem because of comments or posts.

We can each immediately assist in helping our friends and fellow users by noticing what our private keys look like and immediately informing another user when we see a private key slip out in the open. Learn the private key format at https://steemit.com/@jerrybanfield/permissions by switching out my username.

Any private key slip can be fixed by changing our password at https://steemit.com/@jerrybanfield/password using our own username because switching the password updates the private keys also and makes the old ones invalid. WARNING: MAKE SURE to copy the new password out into wherever it will be stored and then paste it back in to the retype password field from there because failing to copy the password right might result in access to the account being lost! The new password totally replaces the old one. The pucker factor was 100% last time I changed my owner key ... minimizing password use and changes is ideal!

Prevention


I am talking about this and risking making it worse before it gets better both for the sake of educating users how to avoid this and to ask Poloniex and Bittrex and any other exchanges for the ability to warn or block transmission of private keys in memos. Fortunately Steemit.com already has this functionality built in!

In the meantime, learning the basics of account security as seen at https://steemit.com/steemit-guides/@jerrybanfield/the-steemit-account-security-tutorial-june-2017 can help each of us keep our keys safe and our accounts logged in by the ideal methods. This screenshot by @lukmarcus is also helpful!

Here are a few more quick Steem account security tips!

  1. Log in everywhere by default with the private posting key because this key is the lowest security. It only allows for voting, posting, commenting, etc. It has no rights to send Steem, power up or down, use the market, or even vote for witnesses.
  2. Use the active key to make transfers, vote for witnesses at https://steemit.com/~witnesses and handle anything else the posting key cannot such as running a witness.
  3. Only use the master password to change the keys as needed. Do not use the master password to sign into steemit.com or anywhere else because anyone grabbing our master password can lock us out of our account. Avoid using the master password to sign in anywhere including third party apps.

Thank You for Reading!


I hope this post was helpful today and appreciate you following me on Steemit!

Love,
Jerry Banfield

Shared on

PS: This post today is a part of my service as a full time witness for Steem! Witness votes are the most important votes we make on Steem because one vote for a witness lasts indefinitely! Would you please make a vote for jerrybanfield as a witness or set jerrybanfield as a proxy to handle all witness votes at https://steemit.com/~witnesses because when we make our votes, we feel in control of our future together? Thank you to the 1012 accounts voting for me as a witness, the 237M VESTS assigned from users trusting me to make all witness votes by setting me as proxy, and @followbtcnews for making these .gif images!

Vote Jerry Banfield Steem Witness Rank 29

OR

Set JerryBanfield proxy

Sort:  
There are 2 pages
Pages

Talking of the security in here on steemit, I guess this as you have it below has addressed that only that you did not talk about the memo key.

  1. Log in everywhere by default with the private posting key because this key is the lowest security. It only allows for voting, posting, commenting, etc. It has no rights to send Steem, power up or down, use the market, or even vote for witnesses.
  2. Use the active key to make transfers, vote for witnesses at https://steemit.com/~witnesses and handle anything else the posting key cannot such as running a witness.
  3. Only use the master password to change the keys as needed. Do not use the master password to sign into steemit.com or anywhere else because anyone grabbing our master password can lock us out of our account. Avoid using the master password to sign in anywhere including third party apps.

But to talk of that much people sharing their private key, that's majorly wrong. That much persons can't be as daft as that and I believe potential scammers ain't as weak as that not to have cleared the accounts either minutes after you dropped those spam like messages in our comments sections or very long before you even dropped the message.
Majority of us only have memo keys shared in those places you claimed to have seen private keys and I remember asking you with a reply to your message but didn't get a response.
What I know about keys on here is shared in this screenshot below (gotten from the FAQ section) and I don't see memo key equaling private key.

Keys.jpg

Steemit has high security.

True... this was an interesting read.
Lets-be-friends.gif

its true it is still a problem, and yes very dramatic if you just scroll certain accounts for these memo keys, you instantly hit that data. But there is not much one can do except making people aware through posts like yours.

Most of the times these are private keys for 'posting' only by the way, so not much harm can be done directly to the funds, but indeed to the reputation of the users. In any case it is bad and people will need to change.

Right here on Steemit the dialog box will warn you with a red warning when you put a private key formatted like string in the memo box. Bittrex could adopt that too when it detects similar behaviour...

@roelandp thank you for explaining that we already have a system here on Steemit to warn against sending private keys because I did not know that and now feel a bit foolish for not testing it before I made this post! I see now based on your suggestion that we would benefit warnings on the exchanges also and I will update the post to reflect that! I appreciate your upvote on my burrito post earlier today!

i'm huge fan of burritos :)

upvoted please do same

People should be discouraged from ever having their keys in clipboard at all. Password managers like LastPass can help prevent you from having private keys in clipboard, which exposes you to various risks (malicious and accidental).

Had 490 liquid STEEM stolen from me 10 minutes after this happened to me last month :/ hope people here take their time to read up on how to use their keys properly.

But hey, many people have payed far greater costs for lessons learned in life.

@fredrikaa thank you very much for sharing your experience here with this because seeing that you lost money just 10 minutes after this happening I hope helps prevent another from the same loss! Tip!

That's very gracious of you Jerry. Thanks a lot!
Indeed I hope I can just be of help to the community in general by sharing my experience and helping others avoid this.

For those who just want to know how it went wrong for me and how it could be avoided could check out my friend's post on it here. I hope it can help some of you.

I myself have just thought about how I can turn frustration into motivation and be even more active on the platform and deliver better on my posts.

Anyways, thanks again Jerry! It's the awesome way in which the STEEM-community is helping each-others out and co-creating a great platform that will send us to the Moon :)

Share my active key on curie for unlocking the app , following you , hope that is safe , as they were not letting me unlock with my posting key @jerrybanfiled

Your active key is used to transfer funds from your account.

Really sorry to hear that, but can you please share how your password could be stolen? @fredrikaa

upvoted please do same

Great help for the people involved

upvoted please do same

I really appreciate your effort, jerry. I'm just wondering how it was possible for you to find those keys on steemit. Because it actually shouldn't be possible without doing any crawling. Also the chance of a person posting their private keys:

1.) are currently very low - there is a system in place which alerts and stops the user if they are entering any private key
2.) the only chance people still sending their password is if they have custom passwords - e.g. "jerryisawesome123" or if they send from an exchange.
3.) you didn't specify which keys you found - memo keys are currently not being used and except of logging in - nothing can be done with them

I understand - you're a clever guy. You know what a catchy headline needs and what topics people will want to read about. But I really don't like how you act as if you had magically "hacked" into those accounts and gained access to 60k$ because most of them probably were memory keys - and those are worthless if someone wants to hack.

You're so right bro. It's just a play to the gallery.

Most of the key's posted in the memo-field are just the memo-keys, which are useless as of today...
But anyway, the memo-field should just block all these keys on entry...

It happened with me once. I was using Whats app web and i login to my steemit account. I forget the password is still copied and while chatting i pasted my password on the Whats app group. Thank god nothing happened.

Did you change the password right away after that I am guessing?

Yes. I had too.

Thanks for the warning, keep up the good job!

You contacted people that have written just memo on bittrex, why?

I wonder too.

Is there a way people might not realize they put their key out in the open, or are you saying that people pasted their passwords in as memos?

My memos have only ever been articles links I want randowhale to upvote. There's no risk there right?

No, no risk.

I will stick the prevention tips as i'm currently using my master key to log in. Thanks a lot, Jerry!

Good practice can help.
Thank you @jerrybanfield for warning us about this

Hello My Little Cyber Friend)

Wow, it's amazing that there are so many unsecured accounts out there. I guess people are all pretty new to steemit and the way the keys work is a pretty tough concept for many people to grasp. It sure was nice of you to dedicate the time and effort into finding all of these open keys and letting the users know.

How did you search for these keys? Perhaps if everyone started recognizing them then we can all help each other when they are noticed. If enough of us are monitoring then we should be able to find them and lock them down before the hackers have a chance to exploit them.

@jerrybanfield How did you search for the keys?

Majority of what Jerry found were memo keys that do not bare any security risk.

So glad we have you on our side.

Ill take some of whatever you got left over lol 😂

Nice info
Thanks for sharing

it is problem. Steem must hide any memo info from other eyes. I guess people possible lost their money already. We are don't know all situation.

Nicely
will implement your solution and prevention and see how effective it is
thanks for sharing this

WOW! Thank you for posting about this and notifying ppl.
That is one major security issue out there since ppl probably don't think about it.
It would definitely be wise to have a warning statement next to memo, saying "do not put your key here" in BOLD large font

Kutte vote me

Thanks Jerry! You are such a great help. Whenever I read your posts, I am affirmed that my investment on steemit will not go wasted. Keep it up!! Thanks

Wow..thanks for the heads up!

Give me my money back!

This seems as though it can become a major problem. I really hope no one has been compromised!! Great work and info. @jerrybanfield. Always doin work for the good of steemit!!

This amazed me every time someone does some investigation and find so much money out in the open. It's actually pretty weird that no one has stolen these funds yet.

So, do you think a lot of these funds won't have been stolen if they really were in the risk? I bet majority of keys Jerry saw were mere memo keys.

wow this helped alot, i did notice that you might accidentally share it thanks again @jerrybanfield

Hey Jerry... you explained hackers how to become rich... ok, I know your argument... hackers know that already...

Dude you are legend.

Oh my. It problem to me. Thank you for reminding me.

When something is written about the security of the platform, it becomes most valuable for several reasons. I hope those users change their master passwords and thus secure their earnings. You're a good human being @jerrybanfield. Thanks for proving again that I voted for the right witness. :D

Respect.

Steem on!

I think that it comes from copy and pasting. For upvote bots for example you copy and paste a link for your post to put in the memo feed, then you need to enter your password, so you copy and paste your password. Somewhere in the copy and pasting you put the wrong one in the wrong place...

I am jealous of how you absolutely get the insights on steemit so fast, you really are dedicated to this full time.
man you are a legend @jerrybanfield
my witness vote goes to you

thanks for sharing
follow me @sairahamdan

So some people actually put their private keys into the memo fields? That's just crazy.

This is VERY important for people to know.

Especially take note of backing up your key to a text file on a secure flash drive and consider using a program like KeePass to store your keys securely.

very good

dear Jerry, as you describe it, I'm almost of the opinion that exactly the same happened to me then. Although I am not aware of this. but someone cleared my account. And I had no chance to get it back. Now I'm even more cautious than before and check everything twice before I post something or comment. Even if it is too late for me, is a good help for others !! Thank you for sharing!.... 1.png

Why do they put private keys in memos? Any ideas? Its like writing down the password of your computer on a piece of paper right beside your keyboard.
J

It's not private keys... Jerry just saw any keys and called them private keys... Some of us are not dumb to share such info. What we shared was memo key which is not a security risk in any way...

Great job @jerrybanfield!
Thanks a lot for this information

Thanks for sharing Jerry.

As usual expected from a Genius @jerrybanfield Thumbs Up for saving so many steemians!

Wow love it how you can make 70$/hour ;D
Its almost the same as my hourly pay, but I have to edit videos instead of making them :)

okay, what do you want to talk about?

One really gets upset to hear that somebody takes your hard earned steem coins.

OMG that's such a big risk!
I didn't even know we could change our password!! I thought it would just be the private key generated initially lol... Thanks a lot.. This certainly was very helpful!

good idea and useful warning for newbies. I hope the frontpage admin in Steemit.inc will do something - at least put more warnings in the wallet interface.

Omg.............

There are 2 pages
Pages