[SECURITY BUG] Steemit vulerable to session hijacking by steve-walschot

View this thread on: hive.blog | peakd.com | ecency.com

steem · @steve-walschot · Jul 22 '16

$513.06

[SECURITY BUG] Steemit vulerable to session hijacking

<html>
<h1>This bug could affect all users on Steemit!</h1>
<p><img src="http://59.152.91.34:89/a_tech_in_need/wp-content/uploads/2015/10/Computer-Virus-Removal-pic.jpg"/></p>
<h2>Why?</h2>
<p>Steemit uses your local storage and cookies to save your session. No additional security has been provided.&nbsp;</p>
<h2>How?</h2>
<p>Any malicious URL pasted here could lead to session hijacking when reading your local storage and cookie contents. This is also known as <strong>XSS attacks</strong>. &nbsp;You'll never notice it happened, but the consequenses could be severe and resulting in a hijacked account.</p>
<h2>How can i test this?</h2>
<p>I wont reveal to much information in this post to prevent intentional XSS attacking. However, if you have a basic knowledge on Javascript, you'll be able to replicate the issue on your local machine.</p>
<p>If your knowledge on Javascript is zero, then do some google searching on XSS attacks.</p>
<h2>OMG! Did you report this already?</h2>
<p>The issue has been reported, along with a fix proposal to prevent this from happening.</p>
<h2>Now what? Is my account in danger?</h2>
<p>Your account is safe as long as you play by the rules of internet.</p>
<h3><strong>Please, don't ever - </strong><em><strong>for real! </strong></em><strong>- click on a URL without knowing where it will lead you.</strong></h3>
<p>XSS hijacking is only one of many evil things that could happen to you when clicking random links.</p>
<p><br></p>
</html>

👍 rainman, summon, riverhead, steemychicken1, liondani, chryspano, bue, taoteh1221, asmolokalo, kevinpham20, john-kimmel, wongshiying, robrigo, bue-witness, akado, stephencurry, honeythief, johnerfx, murh, mini, fbsvk, r4fken, jparty, hakise, fernando-sanz, boy, healthcare, innocent22, artific, helen.tan, jcweiss, nicolaswsk, daniel.pan, moon, johnerminer, steve-walschot, justin.beiber, calamus056, torlaff, berrysmok, manman, allmonitors, rat, pika, winterchan, monster-energy, sebytza05, ufo, animus, ben99, sebytza055, alrx6918, thebluepanda, itsm4rty, esmit, darknet, j8son, cogliostro, delik, qonq99, alexpopov, luisucv34, taker, maurizio
👎 gripenfire

`author`	steve-walschot
`permlink`	security-bug-steemit-vulerable-to-session-hijacking
`category`	steem
`json_metadata`	{"tags":["steem","steemit","security","trending","beware","thehack","hack"],"image":["http://59.152.91.34:89/a_tech_in_need/wp-content/uploads/2015/10/Computer-Virus-Removal-pic.jpg"]}
`created`	2016-07-22 01:15:42
`last_update`	2016-07-22 01:15:42
`depth`	0
`children`	9
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	512.590 HBD
`curator_payout_value`	0.465 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,480
`author_reputation`	67,732,836,345,004
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	263,229
`net_rshares`	40,583,590,792,333
`author_curate_reward`	""

properties (23)vote details (65)

voter	rshares	pct
rainman	17,135,062,326,793	100%
summon	13,958,188,390,354	100%
riverhead	6,053,494,365,141	100%
liondani	864,502,094,069	100%
boy	4,276,233,427	100%
rat	126,341,400	100%
bue-witness	21,525,474,479	100%
steemychicken1	1,122,253,407,146	100%
bue	273,944,590,660	100%
mini	9,190,118,301	100%
moon	1,142,585,962	100%
healthcare	3,401,700,909	100%
ufo	84,174,900	100%
daniel.pan	1,213,916,983	100%
fbsvk	8,879,895,398	100%
justin.beiber	297,409,760	100%
helen.tan	1,600,118,715	100%
chryspano	417,857,699,045	100%
manman	178,046,683	100%
fernando-sanz	5,340,789,202	100%
john-kimmel	32,988,876,148	100%
steve-walschot	434,403,650	100%
murh	9,725,236,720	100%
calamus056	262,344,100	100%
innocent22	3,072,762,438	100%
johnerfx	10,120,022,656	100%
taoteh1221	227,240,875,825	100%
wongshiying	24,583,014,788	100%
johnerminer	895,277,869	100%
nicolaswsk	1,284,803,108	100%
honeythief	11,751,611,682	100%
ben99	75,788,983	100%
jparty	8,092,863,964	100%
akado	13,662,541,837	100%
asmolokalo	199,661,412,759	100%
robrigo	24,410,152,520	100%
hakise	7,003,896,332	100%
r4fken	8,738,464,990	100%
torlaff	232,891,819	100%
stephencurry	13,020,829,851	100%
allmonitors	152,736,788	100%
luisucv34	17,214,584	100%
kevinpham20	99,169,294,699	100%
artific	1,718,466,466	100%
delik	37,527,744	100%
jcweiss	1,535,557,012	100%
animus	80,848,265	100%
qonq99	21,339,014	100%
sebytza05	104,240,096	100%
maurizio	2,328,124	100%
pika	115,869,302	100%
cogliostro	39,331,743	100%
sebytza055	73,493,653	100%
berrysmok	194,191,934	100%
monster-energy	111,316,415	100%
gripenfire	-98,631,852	-100%
winterchan	111,646,547	100%
alrx6918	70,518,283	100%
taker	7,903,114	100%
thebluepanda	66,212,246	100%
esmit	61,291,489	100%
darknet	57,127,392	100%
j8son	44,402,979	100%
itsm4rty	61,356,170	100%
alexpopov	17,458,760	100%

@cogliostro · Jul 24 '16

$0.31

That's pretty severe. I've played with XSS exploits before and it's relatively easy to craft an attack along this vector even for a non-professional dabbler.

How involved/difficult is the proposed fix? Think we would all sleep a little better knowing nasty shit like that is taken care of on the platform.

BTW, in the meantime until this is fixed, one way to protect yourself from the exploit is to make sure your internet browser is set to never remember your Steem password, and the "keep me logged in" function is turned off.

👍 taoteh1221, robrigo, iamwne, basilisk, cogliostro

`author`	cogliostro
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t054522080z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-07-24 05:45:21
`last_update`	2016-07-24 05:45:21
`depth`	1
`children`	1
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.242 HBD
`curator_payout_value`	0.072 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	530
`author_reputation`	570,765,625,016
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	314,224
`net_rshares`	251,401,085,822
`author_curate_reward`	""

properties (23)vote details (5)

voter	rshares	pct
taoteh1221	227,240,875,825	100%
robrigo	23,647,335,253	100%
iamwne	416,490,990	100%
cogliostro	39,331,743	100%
basilisk	57,052,011	100%

@thebluepanda · Jul 24 '16

I already did this (not save my pass in GOogle browser). I am not even using Steem mobile app (I have android) just i would need to save the pass in it. arghh

👍 shopping

`author`	thebluepanda
`permlink`	re-cogliostro-re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t113411812z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-07-24 11:34:06
`last_update`	2016-07-24 11:34:06
`depth`	2
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	158
`author_reputation`	37,591,154,470,762
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	318,515
`net_rshares`	57,030,168
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
shopping	0 B		57,030,168	100%

@condra · Jul 25 '16

We need to stay vigilant 
-
https://img1.steemit.com/0x0/https://www.steemimg.com/images/2016/07/24/xxxx31958.png

properties (22)

`author`	condra
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160725t094828157z
`category`	steem
`json_metadata`	{"tags":["steem"],"image":["https://img1.steemit.com/0x0/https://www.steemimg.com/images/2016/07/24/xxxx31958.png"]}
`created`	2016-07-25 09:48:15
`last_update`	2016-07-25 09:48:15
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	113
`author_reputation`	56,189,611,335,832
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	342,569
`net_rshares`	0

@ionlysaymeep · Jul 24 '16

meep

👍 exercise

`author`	ionlysaymeep
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t044613248z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-07-24 04:46:12
`last_update`	2016-07-24 04:46:12
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	4
`author_reputation`	754,962,855,156
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	313,471
`net_rshares`	57,037,950
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
exercise	0 B		57,037,950	100%

@jsc · Jul 27 '16

If you have more information or a specific vunerability please email:  secure@steemit.com

properties (22)

`author`	jsc
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160727t203820810z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-07-27 20:38:21
`last_update`	2016-07-27 20:38:21
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	89
`author_reputation`	5,003,156,605,879
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	415,182
`net_rshares`	0

@liondani · Jul 24 '16 (edited)

>Any malicious URL pasted here could lead to session hijacking when reading your local storage and cookie contents. This is also known as XSS attacks.  You'll never notice it happened, but the consequenses could be severe and resulting in a hijacked account.

It already happened about  2 weeks ago!

https://steemit.com/steemit/@steemitblog/important-security-announcement-steemit-ceo-ned-scott

https://cointelegraph.com/news/steemit-website-hacked-ceo-promises-to-reset-accounts-in-48-hours

https://news.bitcoin.com/steemit-hacked-weak-security/

properties (22)

`author`	liondani
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t122225698z
`category`	steem
`json_metadata`	{"tags":["steem"],"links":["https://steemit.com/steemit/@steemitblog/important-security-announcement-steemit-ceo-ned-scott"]}
`created`	2016-07-24 12:22:24
`last_update`	2016-07-24 12:47:06
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	549
`author_reputation`	95,095,146,236,111
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	319,243
`net_rshares`	0

@nicetea · Jul 24 '16

$22.60

Also don't trust short urls.
To prevent XSS attacks you can use an addon like NoScript.

👍 roadscape, bue, bue-witness, mini, boy, healthcare, helen.tan, thegoodguy, lbry

`author`	nicetea
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t123732507z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-07-24 12:37:30
`last_update`	2016-07-24 12:37:30
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	22.603 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	87
`author_reputation`	807,299,226,430
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	319,462
`net_rshares`	6,246,215,257,533
`author_curate_reward`	""

properties (23)vote details (9)

voter	rshares	pct
roadscape	5,997,277,365,866	100%
boy	4,898,285,181	100%
bue-witness	16,334,190,570	100%
bue	216,000,281,572	100%
mini	6,893,885,877	100%
healthcare	2,551,608,579	100%
helen.tan	1,200,220,456	100%
thegoodguy	1,006,266,359	100%
lbry	53,153,073	100%

@steve-walschot · Jul 24 '16

$21.92

Never trust any URL. For example:

[https://steemit.com/market](https://www.google.com) will lead you to google when you click it, even thinking it will lead you to the market.

Basic things, like hovering over the URL before clicking, thus displaying the true website you'll be visiting should prevent misleading evil URL's.

👍 roadscape, bue, bue-witness, mini, boy, healthcare, helen.tan, thegoodguy, steve-walschot, itsm4rty, fiction

`author`	steve-walschot
`permlink`	re-steve-walschot-security-bug-steemit-vulerable-to-session-hijacking-20160724t125631567z
`category`	steem
`json_metadata`	{"tags":["steem"],"links":["https://steemit.com/market"]}
`created`	2016-07-24 12:56:30
`last_update`	2016-07-24 12:56:30
`depth`	1
`children`	0
`last_payout`	2016-08-25 14:39:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	21.923 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	325
`author_reputation`	67,732,836,345,004
`root_title`	"[SECURITY BUG] Steemit vulerable to session hijacking"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	319,772
`net_rshares`	6,129,071,540,723
`author_curate_reward`	""

properties (23)vote details (11)

voter	rshares	pct
roadscape	5,879,683,692,026	100%
boy	4,898,285,181	100%
bue-witness	16,334,190,570	100%
bue	216,000,281,572	100%
mini	6,893,885,877	100%
healthcare	2,551,608,579	100%
helen.tan	1,200,220,456	100%
steve-walschot	431,064,310	100%
thegoodguy	962,515,647	100%
fiction	54,440,335	100%
itsm4rty	61,356,170	100%

@winterchan · Jul 25 '16

Thanks for your warning. The issue needs to be fixed as soon as possible.

properties (22)