NobleBot Is Introducing A New Tool
Scammers and hackers are updating victim account's authority with their account so that they can still have access when the victim changes the password. They are also changing/adding vesting withdrawal routes to their accounts from victim accounts, so when the victims power down, hackers will receive those STEEM instead.
NobleBot is here with a tool that will remove hackers' ACTIVE and POSTING authorities from victim's account, as well as will remove vesting withdrawal routes. To do these, the webpage will request for STEEM username and PRIVATE ACTIVE KEY (do not worry, I am a good bot!).
Web: https://thenoblebot.herokuapp.com
What this does?
- It removes hacker's posting and active authority
- It removes hacker's account from vesting withdrawal route.
How to use it?
- Enter your steem username
- Enter your private active key
- Click the reset button
- If you get a success message, check
https://steemd.com/@your_username
to verify. - If you get an error, please inform me via comment or Discord (
@noblebot#5631
). - Change your master password
- Be careful about not posting your keys
How can I contribute?
- Report scammers accounts
- Report bugs in the tool
- Letting everyone know about the tool
This sounds like a great idea!
I have the feeling that many people are not clear on the ability to configure vesting withdrawal routes and so having a tool to clear custom configurations like this could be very useful to hacked accounts.
I visited the page but don't have an account to test with right now. Does the site use steemconnect, and if not, would it be possible to use steemconnect? I think that people would be perhaps more willing to use the tool if this 'trusted' mechanism was in place.
Good stuff @noblebot :)
The idea behind this tool is to remove hacker's account (red marked in the picture) from the Authorities of victim's account so that the hacker can not access the account when master password is changed. We need to use private active key for that. I do not think SteemConnect let users updated their active authorities, and set vesting routes, then only let users change posting authorities. I could be wrong though.
This tool should only be used if a hacker updates active authority and/or changed vesting withdrawal routes.
You can send any blockchain operation with SteemConnect. Here's an example for removing a withdraw vesting route:
https://v2.steemconnect.com/sign/set_withdraw_vesting_route?from_account=crokkon&to_account=crokkon&percent=0&auto_vest=0
I was wrong then but I found out it can be done as I mentioned here.
This sounds like a really great tool to help prevent malicious use of hacked accounts.
We agree with @abh12345 that leveraging SteemConnect might help give users an even more secure feeling (especially since them being hacked would make them even less trusting)
look up de SteemConnect devs on Discord.
https://discord.gg/wjXYSU
See what they can do for you in regards to autorities.
Hi @blockbrothers, I also agree with both you and @abh12345. I did some digging and found that I can reset vesting withdrawal routes with SteemConnect, also can set owner and active authorities but can not remove. I asked on SteemConnect's discord channel, hopefully they will get back to me with good news.
Though using active private key gives me more control of the settings and data, but I'd definitely prefer usability over my convenience. If I can do it with SteemConnect, I'll make update to the page and offer both options. :)
Hey @noblebot, this is a great initiative, however I think technically it should be solved differently, as partly already pointed out by @abh12345. People needing this service entered their key or password at a point where they shouldn't have. A "do not worry, I am a good bot!" should not be an intention to enter an active key to a heroku intance. Never ever. Not even for the "good guys". Additionally, the user provided active key is sent to the server, there is no transparency on what's happending in the background. Don't do this.
Also the active key may not be enough in some situations. Imagine an additional active authority with weight and threshold > 1.
How about this: Use the page to list all "issues" with an account and provide a steemconnect link for each of them to remove it. This does not need a single key on your page.
Hi @crokkon, I understand all of your concerns. I also advise nobody to trust a website with their private keys unless it is offered by Steemit Inc.
I can do SteemConnect for withdraw vesting routes, and removal of posting authority. But that won't be enough because with active and/or owner authority those can be re-added in a matter of seconds.
I just want to help the victim of hacking/scam to reset their account authorities as I failed to help them the first time when they posted their key. I know it not wise to trust a dude on the Internet but I am doing whatever I can. I do not keep logs of usage, not even errors.
Looks like my hands are tied at least for now but thank you for commenting.
Hi @noblebot, I just found out SteemConnect actively doesn't want to support account update operations: https://github.com/steemit/steemconnect/issues/206
So you're right, using SteemConnect for these goals will not work :/
You could maybe do it all on client side with steem-js. This way the key wouldn't have to be sent to the server and anybody (at least those tech-savvy enough...) could see what's happening in the source code?
Hi @crokkon, thank you for the suggestion. Though the code is very easy to write, but I do not want to share it publicly as anybody with very little technical knowledge can change 2-3 lines of the code and make a phishing site out of it and run from a free hosting provider.
But if you or anybody trusted by the community want to check the code, I am willing to share. :)
good news noblebot... thanks for support and your tool
▀