Some Steemit accounts can be compromised (found passwords for more than $10.000 in a few minutes)

in #steemit7 years ago (edited)

Hello guys, I'm quite new here but I went on Steemit a couple times to read crypto-based stuff. :)

I just came across this article (that I really recommend reading before this one) which is very interesting: sometimes people paste their keys in the memo box during transfer, and everyone can read it. Well, I know this might be old news, but @JerryBanfield created a program to find those passwords, still it's way easier than that to pick new ones, which is a terrible issue for the owners of those accounts.

First of all, a reminder

There are 4 kinds of keys on Steemit:

Active key

This key lets you transfer funds, it's one of the most important. You can also place trades on internal markets with this key, so NEVER POST IT ANYWHERE. Always keep it safe.

Posting key

This key lets you publish articles and up (or down) vote contents and comments.

Note key

This key just lets you create and manage notes, not a big deal.

Priority key (or password account)

The main password that can do anything. NEVER REVEAL THIS PASSWORD.

These all have public and private keys. No problem giving away the public ones, but the privates have a name that should be heard. Don't reveal them anywhere.

All of these keys can be found on https://steemit.com/@USERNAME/permissions

Okay, so what now?

Calm down, I'm coming to it!

These memos are written during money transfers. We definately need to put a box saying DO NOT WRITE YOUR KEYS HERE.

Thing is, on Steemit, most of the exchanges have an account. @bittrex, @binance-hot, @poloniex (dead as of now though). And guess what? Plenty of keys can be found on their transaction lists, which are working every 10 minutes at least.

I didn't try to withdraw, I tried to upvote on some (for research purpose, eh, don't judge) and sometimes it's working, sometimes not. I'm guessing people are sometimes posting Note key, Active key or another one. But still, @steemit, you NEED to act so these account aren't compromised. I know it's a BKAC mistake, but please, put some more messages so these people do not get stolen.

Here are some examples of accounts I could gain access

Sorry, website is in French...

It took me just a few minutes to figure this out. Always be careful guys: I know those keys are different from passwords, but NEVER REVEAL ANYTHING ANYWHERE. 

Hope that my first blog post interested you and have a really nice day. It looks like I'm gonna like this community!

Sort:  

Congratulations @madbillys! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published your First Post
You made your First Vote
You got a First Vote

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Congratulations @madbillys! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.20
TRX 0.25
JST 0.038
BTC 97445.74
ETH 3477.06
USDT 1.00
SBD 3.16