Offline Attack on Steem User Credentials

in #steem8 years ago

Moments ago I changed the owner/active/posting/memo keys of ~500 Steem accounts.

I changed their keys to Steemit's key so Steemit can allow these users to regain access via the recovery mechanism they established.

I was able to do this because I was able to guess these account's passwords.

I was able to guess their passwords because of what I would argue is a flaw in Steem's UI. Specifically, it currently allows users-chosen passwords by default. In most applications user-chosen password are not problematic. However, they are problematic in this use-case because a scrambled form of each user's password must be stored on Steem's public blockchain meaning anyone with a copy of the blockchain can mount a large-scale offline dictionary attack to recover them. Research as well as real-world precedent has repeatedly shown that a non-trivial fraction of users are incapable of choosing passwords resistent to offline-attack even when password complexity requirements are enforced.

Forcing machine-generated passwords in the UI for owner/active keys would be one possible step towards mitigation. I'm aware of the usability counter-argument to this suggestion. However, consider that my effort expended ~1 USD of computing resources and ended up recovering the credentials of accounts with liquid assets valued in the thousands and semi-liquid assets (SP) in the tens of thousands. Given this fact, it would be hopelessly naive to assume offline attacks will not be attempted in the future at much greater scale and by totally bad actors.

I invite others with constructive mitigation ideas to share them.

One futher point, unless explicitly invited by Steemit, I will not attempt any future white hat shenanigans. My motivation was to alert this community to a genuine danger and do so in manner that hopefully leaves a more lasting impression than yet another "how to pick a strong password" snorefest post.

12345

Sort:  

Yup, this is exactly what I have been shouting about for weeks now and expected would eventually happen. I am happy that you are a white hat and didn't take control of the accounts for yourself to profit from.

I believe it is better to push away new users with less user friendly registration (that forces them to use a randomly generated key that they must store securely and use password managers to manage) than to bring them aboard easily only to completely piss them off when their account or funds are stolen [1]. It is our job to make it as user-friendly as possible and to provide great resources educating users how to generate and manage random high-entropy passwords. But I don't agree with compromising their security because it is "too hard" and we don't want to lose them as new users.

[1] Although the new recovery feature allows them to get their account back. Most funds are usually locked in the time-locked Steem Power, so hopefully not too much financial damage would be done by the time they recover their account. And there are plans for a user opt-in and configurable time-locked savings account to even protect their more liquid STEEM and Steem Dollar funds from being stolen by hackers assuming they recover their account in a few days.

… we are in needs of a bug bounty program with high rewards, that people are happy to publish the flaws, instead of misusing them for the own profit in the short run! Thank you for being honest and alarming the devs and community - and not run with the money …!

Chapeau !

and tipping is always an option as well - thx again!

I WILL donate/contribute my rewards gotten out of my comments here @robinhood as well, and you guys here should considering to do this as well...if everybody here WILL doing this i'd double the comment payment amount to donate out of my pockets again!

@cass - the largest flaw now in my opinion is that overgrowing "tag-spamming" people do. When you have for example in top 12 of "marijuana" topic just 3 related ones the platform has a massive problem. This get worse hour by our and people tag nearly all their posts wrong.

@wackou - thanks for your upvote... I wrote a article today of the topic. It would be a real interesting thing what a whale (like you) say to the actual situation as you too think tag-spam get a real pain. Would be great to get some words from you:

https://steemit.com/money/@hastla/why-whales-and-dolphins-have-to-start-work-for-steemit-or-lose-their-whole-investment

Happy to introduce anyone to Jacob at Cobalt - best bug bounties with a specialization in cryptocurrency companies.

This is someting i'm really concerned about arhag, do you have any information i can use at the moment to protect myself further?

I do actually. I just wrote this post about the importance of using password managers.

Thank you arhag, I had a look and have infact been using lastpass, but i've found a few issues it seems to be interfering with things, for example on bittrex it keeps trying to autocomplete the boxes in which I write trade values, so I had to turn it off. do you know any work around for this or perhaps an alternative? cheers.

I don't use LastPass so I can't give you specific instructions. But you should be able to disable its autofill functionality on specific websites that it has trouble with, while still taking advantage of it on nearly every other website. It may also be possible to manually fix the issue specifically for the Bittrex site so that you can even still use autofill on its website without having LastPass autofill in the wrong boxes.

This link may be helpful:
https://lastpass.com/support.php?cmd=getfeaturefaq&feature=feataure_4

Amazing work and really making a difference in how we all move forward in the world.

I will upvote every White Hat hackers post that will help us secure more our platform! And I hope that will give them the motivation to continue working for our security!

Upvoting for visibility (and the Spaceballs reference), but not without much conflict. More people need to understand how serious password security is and the need for a good password manager. At the same time, I don't want to condone grey hat activity.

There were other ways to handle this that would have been true white hat. You could have checked those 500~ passwords, verified them, and then contacted the Steemit team privately. I've been posting in the Slack channel about the need for a private bug bounty program like Bugcrowd for exactly that purpose. There should also be an easy to find ethical disclosure procedure.

In this case, however, was it really Steemit's fault or a PEBKEC (Problem Exists Between Keyboard and Chair)? All attempts at creating idiot proof software fail as better idiots are produced.

I hope you can work with the Steemit team in an ethical manner in the future. I know I'm coming across as judgemental here, and it's possible you actually saved a lot of people from a lot of trouble. It still just feels wrong. Either way, I wouldn't want to get on your bad side. :)

I don't fault the OP. This is a classic scenario where you don't fully comprehend the gravity unless it happens. I also like the fact that the OP is being financially compensated for his discovery. I hired my first CTO after he rooted our mail server!

You might be right, Bill. I guess I'm just much more comfortable with white hat activities. We use BugCrowd for FoxyCart and have been very happy with the professionalism and ethics of those involved. When something is exposed (thankfully it's almost always some third party system outside of our PCI environment), it's hard not to take it very seriously. From what I've seen of the team here so far, I think they would have taken a white hat approach seriously also. But... maybe not. As I said, whether or not I like it, this approach may have saved quite a few people from even more frustration.

can you get in touch with me on the slack channel?
(my name there is also liondani)

It is about a steemit user they "lost" his owner key and needs desperately help @tonyson (lost owner key) now he posts under his new account @hien-tran read his post about the "hack" https://steemit.com/steemit/@hien-tran/i-wonder-if-you-could-help-me-with-my-account

co-founder of steemit @ned encouraged him to get in touch with you and that was a great idea in my opinion (I don't know if the reached already to you,his English are poor) I will appreciate it very much if you helped him "recover" his keys.... It is obvious that the funds he has lost are significant for him (he lives with his little Son in Vietnam).... I can Imagine it will change his life if he can have access to his funds! Thanks in advance and please make a post about it so we can tip you for helping a dedicated community member. Thanks

Sorry but I can't help this user - I checked my logs and @tonyson was not one of the accounts that I updated.

The accounts I updated had their keys changed to either STM7kyb6WK6Sg9Eu4uu7WGqjYdqJzdBeKEWVDaDEKsgvhvESJZ1vM or STM65wH1LZ7BfSHcK69SShnqCAH5xdoSZpGkUjmzHJ5GCuxEK9V5G which are the owner keys for @steemit and @steemit3 respectively.

robinhood, can you send me an email ned at steemit dot com

Sure. Sent you a message a moment ago. May hit your spam folder since it just said "hi".

I can say nothing here except thank you! This really should be the most upvoted topic of the day. Here's an upvote from me!

Nice job and thanks!

Hm. I vote that you continue to do this and make posts about how you did it, and what recommendations you made.

I promise I will upvote you every time I see it :P

You're the first white hat I've seeing doing these sorts of white hat things in crypto since I got in the game a year ago!

That's pretty terrifying, and it's a good job that you posted this... It hadn't occurred that of course hashed passwords are going to be freely available offline because in using a web UI you're used to the assumptions of a traditional web model.

Good on you (assuming you did what you said) for just reassigning back to Steemit. Sounds like we do really need 2FA or generated only passwords... It's a shame that browser tooling around SSL client certs is so user unfriendly, having a client cert as a per-browser alternative to the generated password would be a good way of removing the usability barrier. Users would obviously still have to store their password but they could use the installed client cert for day-to-day auth and just use the password for requesting new certs for new devices.

Coin Marketplace

STEEM 0.28
TRX 0.21
JST 0.039
BTC 97208.32
ETH 3709.85
USDT 1.00
SBD 3.93