[AMA I hunt BUGS, and collect BUG BOUNTYs] Hello Everyone, please read this, it took two years to find two of these, and I'm back and finding the SECOND CRITICAL XSS bug in steemit.com. Please READ & afterwards vote up for attention

in #steem6 years ago

SECURE DISCLOSURE
With issues like these, it can be hard to get the attention of those who need to know, I have sent emails to Ned, but I'm not in the inner circle. I mostly just hang out on Steemit and occasionally look for bugs. Because I care about this place, and I hope you do too. And hopefully, I'm not being too corny, just vulernable enough to let you learn more about me.

Secure disclosure requires met to remain absolutely quiet about the details, so that it remains a secret until I can encrypt the details of the critical XSS exploit and share it wtih the development community. In addition to all the details needed to reproduce the bug, I have already developed some JS to pass along with the bug, to help guide the developers, and hopefully allow them to make haste with the fix. After that procsess complete I will edit the thread and share the details. It is an interesting bug, and I hope you check back later to learn how I found it. It was difficult to find to say the least.

So please do your part now, help spread the word and raise awareness that this exist, once it receives enough attention, I suspect I will get upvoted by developers and we will exchange some form of asymmetric cartographic key like PGP.

After TWO years of searching, I have only found TWO critical XSS bugs this bad
Last time I had a critical bug, it was ignored, and only after a post saying "Post Critical Bugs Please And Make Money", made 15,000 USD, and I made a second post complaining that real BUG BOUNTIES were actually ignored, did anyone pay attention, review my post history and you can confirm I'm legit.

My hope is that the community has grown much stronger and much more mature since then and we will reward people like me who posts rarely but still have important contributions, even if, it may not be the most etnertaining read until I'm able to release the story of how I found the bug, and how I determined how to fix it.

I post rarely because these are VERY serious bugs and unless they are capable of leaking EVERYONEs private keys, like this one is, do I bother sharing it. This is VERY IMPORTANT TO FOR THE STABILITY OF STEEMIT. I send hours every week searching and have only found TWO over the years. So I really would appreciate everyone's in the communities support, because this is my contribution, most of the time I lurk and enjoy but this is the one way I can contribute.

HISTORY: XSS of Steemit Past
If you do not remember, last time an XSS bug was exploited over 100,000 USD was STOLEN. ALL ADMIN accounts were hijacked and used to spread hate speech.

Even though I could be malicious and cause havoc I'm not, instead of stealing MUCH more than I could raise by helping the community, I want this community to thrive and my own selfish gain is not worth sacrificing what we built together.

Conclusion & Thanks
Thanks Everyone! Glad to be apart of this community. Overall two major XSS attacks is relatively low, and I think this goes to show how successful we have been as a community by collaborating together. I hope continue our symbiotic mutualism, because we all win!

It was been a weird wild journey.

Back to the shadows for me, I will return to update the thread and do an AMA. So please ask questions, now or later, and I will answer every one. Thanks for participating.

Sort:  

Keep up the good work. Waiting for the detailed post explaining the issue.

Congratulations @spaced! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.21
TRX 0.26
JST 0.039
BTC 98628.81
ETH 3457.37
USDT 1.00
SBD 3.21