create account

Defacement / Phishing vulnerability in hive-db.com by gaottantacinque

View this thread on: hive.blogpeakd.comecency.com
hive-139531 · @gaottantacinque · (edited)
$5.49
Defacement / Phishing vulnerability in hive-db.com
<h4><center>Defacement / Phishing</center></h4>

<div class="pull-right"><br>https://images.hive.blog/DQmW5YXngzAsNPEhQ5MtVgsttwXvVQgKVM37RsjHgGrVPHT/image.png</div>

<br /><br /><br />

You can see from the screenshot below that I was able to replace the content of the  target website with my own content.

<br><br>This vulnerability could be exploited by malicious users for phishing campaigns as the link shared with the potential victims has a trusted domain in it!

<center>https://images.hive.blog/DQmUtLMVSGDGi5TKYTAd9Yx68GBGuAamFWPaMxQxRnLEj2z/image.png</center>

<br>The mantainer (one of the top 30 witnesses) has now been notified in multiple ways. 

Stay tuned for updates! Will tell you a bit more about it after it gets fixed  
😎 👍

-----

UPDATE 1:

The vulnerability reported above has  now been fixed by @jesta. The problem though is worse than I though and I've found another similar vulnerability that allows me to store code in the site and execute it when the user visits that page:


<center>https://images.hive.blog/DQmXXPyy1ubuwq9YcmY2Y7n7uJaSs2PVTZRmLMeiN8XibXZ/image.png</center>

-----
-----

The issue has not been patched but the site is now less uselful since if you use any html tag in your post, when you try to inspect it in hive-db.com it will now just display "Content not available".


![image.png](https://images.hive.blog/DQmPFU7ewT7DqB1qh9aTpmdHtHThhwNibN1MuzxNN2DsUqT/image.png)


The maintainer said that at the moment he cannot fix it in a better way as he  is not actively maintaining this old project (back in the Steemit days it was called https://steemdb.com).

When i have a chance I will test it a bit more for vulnerabilities but after an initial check it seems safe now.

-----
-----

<div class="pull-right">
<sub><b>My side project: @keys-defender</b></sub>
<div>
- <sub><a href="https://hive.blog/steem/@gaottantacinque/the-keys-defender-bot-is-live-in-beta-mode">Keys protection</a><sub>(scan of transfers/posts/comments/others, auto-transfer to savings, auto-reset of keys)</sub></sub>
<br><i>-</i> <sub><a href="https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply">Phishing protection</a></sub>
<br><i>-</i> <sub><a href="https://hive.blog/hivedev/@keys-defender/new-feature-added-to-keys-defender-plagiarism-detection">Re-posting detection</a></sub>
<br><i>-</i> <sub><a href="https://hive.blog/hive-139531/@keys-defender/new-feature-code-injections-attempts-detection-xss-sql-injections-csrf">Code injections detection</a></sub>
</div>

</div>

<div class="pull-left">
<sub><b>My security disclosures (from most recent) on Hive:</b></sub>
<br>- <sub><a href="https://hive.blog/hive/@gaottantacinque/xss-found-in-one-of-drako-s-websites-will-add-details-after-it-s-patched">XSS vulnerabilities in scribe.hivekings.com</a></sub>
<br>- <sub><a href="https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss">XSS vulnerabilities in hiveblockexplorer.com</a></sub>
<br>- <sub><a href="https://hive.blog/steemit/@gaottantacinque/steemit-got-hacked">Malicious ads redirecting all Steemit iOS users to a phishing site</a></sub>
<br>- <sub><a href="https://hive.blog/security/@gaottantacinque/steemit-chat-is-unsafe">Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page</a></sub>
</div>
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 60 others
properties (23)
authorgaottantacinque
permlinkdefacement-phishing-vulnerability-in-one-of-the-most-used-hive-tools
categoryhive-139531
json_metadata{"tags":["hivedev","security","phishing","abuse","neoxian","palnet"],"app":"hiveblog/0.1","format":"markdown","image":["https://images.hive.blog/DQmW5YXngzAsNPEhQ5MtVgsttwXvVQgKVM37RsjHgGrVPHT/image.png","https://images.hive.blog/DQmUtLMVSGDGi5TKYTAd9Yx68GBGuAamFWPaMxQxRnLEj2z/image.png","https://images.hive.blog/DQmXXPyy1ubuwq9YcmY2Y7n7uJaSs2PVTZRmLMeiN8XibXZ/image.png","https://images.hive.blog/DQmPFU7ewT7DqB1qh9aTpmdHtHThhwNibN1MuzxNN2DsUqT/image.png"],"links":["https://steemdb.com"],"users":["jesta","keys-defender"]}
created2020-09-22 22:01:27
last_update2022-07-30 15:27:15
depth0
children7
last_payout2020-09-29 22:01:27
cashout_time1969-12-31 23:59:59
total_payout_value2.764 HBD
curator_payout_value2.726 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length3,329
author_reputation13,592,747,127,375
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,767,645
net_rshares21,314,105,309,816
author_curate_reward""
vote details (124)
@discovery-it · 
<div class="pull-left">https://cdn.steemitimages.com/DQmTAn3c753LR7bHCLPo96g9UvRMaPFwaMYn8VQZa85xczC/discovery_logo_colore%20-%20Copia.png</div><br> This post was shared and voted inside the discord by the curators team of <a href="https://discord.gg/cMMp943"> discovery-it</a> <br>Join our community! <a href = "https://hive.blog/trending/hive-193212"> hive-193212</a><br>Discovery-it is also a Witness, vote for us <a href = "https://hivesigner.com/sign/account-witness-vote?witness=discovery-it&approve=true"> here</a> <br>Delegate to us for passive income. Check our <a href = "https://hive.blog/hive-193212/@discovery-it/delegations-program-80-fee-back"> 80% fee-back Program</a> <hr>
properties (22)
authordiscovery-it
permlinkre-gaottantacinque-wog4ct749u
categoryhive-139531
json_metadata""
created2020-09-22 22:32:24
last_update2020-09-22 22:32:24
depth1
children0
last_payout2020-09-29 22:32:24
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length689
author_reputation67,591,587,602,825
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,768,006
net_rshares0
@hivebuzz · 
Congratulations @gaottantacinque! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

<table><tr><td><img src="https://images.hive.blog/60x70/http://hivebuzz.me/@gaottantacinque/upvoted.png?202009222241"></td><td>You received more than 4500 upvotes. Your next target is to reach 4750 upvotes.</td></tr>
</table>

<sub>_You can view your badges on [your board](https://hivebuzz.me/@gaottantacinque) and compare yourself to others in the [Ranking](https://hivebuzz.me/ranking)_</sub>
<sub>_If you no longer want to receive notifications, reply to this comment with the word_ `STOP`</sub>



**Do not miss the last post from @hivebuzz:**
<table><tr><td><a href="/hive-192847/@hivebuzz/update-for-regular-authors"><img src="https://images.hive.blog/64x128/https://i.imgur.com/Bkdl8Vk.png"></a></td><td><a href="/hive-192847/@hivebuzz/update-for-regular-authors">Update for regular authors</a></td></tr></table>
properties (22)
authorhivebuzz
permlinkhivebuzz-notify-gaottantacinque-20200922t230008000z
categoryhive-139531
json_metadata{"image":["http://hivebuzz.me/notify.t6.png"]}
created2020-09-22 23:00:06
last_update2020-09-22 23:00:06
depth1
children0
last_payout2020-09-29 23:00:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length966
author_reputation369,407,645,254,453
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,768,405
net_rshares0
@klye ·
$0.03
Damn good work here!
👍  ,
properties (23)
authorklye
permlinkre-gaottantacinque-qh3w3r
categoryhive-139531
json_metadata{"tags":["hive-139531"],"app":"peakd/2020.09.4"}
created2020-09-23 10:07:03
last_update2020-09-23 10:07:03
depth1
children1
last_payout2020-09-30 10:07:03
cashout_time1969-12-31 23:59:59
total_payout_value0.013 HBD
curator_payout_value0.013 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length20
author_reputation412,341,527,771,769
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,774,825
net_rshares181,044,733,420
author_curate_reward""
vote details (2)
@gaottantacinque ·
$0.02
Thanks! 😎
👍  ,
properties (23)
authorgaottantacinque
permlinkqh40jq
categoryhive-139531
json_metadata{"app":"hiveblog/0.1"}
created2020-09-23 11:43:03
last_update2020-09-23 11:43:03
depth2
children0
last_payout2020-09-30 11:43:03
cashout_time1969-12-31 23:59:59
total_payout_value0.010 HBD
curator_payout_value0.010 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length9
author_reputation13,592,747,127,375
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,775,954
net_rshares145,039,579,117
author_curate_reward""
vote details (2)
@logic · 
@tipu curate
👍  
properties (23)
authorlogic
permlinkqh2z9s
categoryhive-139531
json_metadata{"users":["tipu"],"app":"hiveblog/0.1"}
created2020-09-22 22:17:51
last_update2020-09-22 22:17:51
depth1
children1
last_payout2020-09-29 22:17:51
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length12
author_reputation92,052,875,413,650
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout0.000 HBD
percent_hbd10,000
post_id99,767,859
net_rshares7,723,672,704
author_curate_reward""
vote details (1)
@tipu · 
<a href="https://tipu.online/hive_curator?logic" target="_blank">Upvoted  &#128076;</a> (Mana: 0/6) <a href="https://peakd.com/hive/@reward.app/reward-app-quick-gude" target="_blank">Liquid rewards</a>.
properties (22)
authortipu
permlinkre-qh2z9s-20200922t221802
categoryhive-139531
json_metadata""
created2020-09-22 22:18:06
last_update2020-09-22 22:18:06
depth2
children0
last_payout2020-09-29 22:18:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length202
author_reputation55,930,979,039,115
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,767,863
net_rshares0
@phage93 · 
loool
!discovery 20
👍  
properties (23)
authorphage93
permlinkqh2zxc
categoryhive-139531
json_metadata{"app":"hiveblog/0.1"}
created2020-09-22 22:32:03
last_update2020-09-22 22:32:03
depth1
children0
last_payout2020-09-29 22:32:03
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length19
author_reputation80,382,904,001,177
root_title"Defacement / Phishing vulnerability in hive-db.com"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id99,768,004
net_rshares7,882,204,381
author_curate_reward""
vote details (1)
Help/Feedback