Automated votes abuse on SteemConnect?

in #steemconnect7 years ago (edited)

Today at 13:00 UTC what looked like a massive automated vote occurred on Steem. The SteemConnect API received a lot of requests to upvote and downvote the following posts without user approval:

We can see from the SteemConnect logs that a malicious actor used Utopian privileges to broadcast votes for users. If you have delegated posting authority to the @utopian.app you may want check your posting/voting history to see if your account has been affected. If that is the case, then we recommend that you undo your votes.

To check your history, go https://steemd.com/@fabien (change @fabien with your username)

We’ve disabled the app @utopian.app and revoked all the access tokens on SteemConnect while this issue is being resolved. Utopian team helped us to identify early the abuse and the SteemConnect server logs clearly show that the requests were not from Utopian servers IPs but from an external actor.

What happened?

Utopian asks for “offline access” when using SteemConnect, this gives the Utopian app the ability to issue an access token for its users anytime with what we call “refresh token”. It’s a common use in the OAuth 2 standard. It seems that someone got access to Utopian’s database with stored refresh tokens. These refresh tokens were used to generate new access tokens and broadcast votes for these accounts. If your account has been affected you most likely were giving offline access to Utopian.

Has SteemConnect been hacked?

No. Someone malicious sent requests to the SteemConnect API using Utopian’s refresh tokens but does not have direct access to the SteemConnect server.

My account upvoted some posts without my approval, my keys are safe?

Neither SteemConnect nor Utopian have access to any of your keys. SteemConnect API is using posting authority delegation to broadcast posting operations for you. The operations are signed by the @steemconnect account but not using your own keys. You are not giving SteemConnect your keys but only the permission to use your account.

We are still investigating this issue and will give you another update when we have.

Edit: You can read Utopian related post here: https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised

Sort:  

Thanks you master @elear👍👍

Nice usage of utopian.tip ...

Was just a way to get it to the top @jefpatat. Do u really think I am interested in few SBDs?

Second highest comment is heimin's 1.26.

Did I say that?

@busy.org When will the full toolset at https://steemconnect.com/ become available to use? I currently have a list of projects I want to delegate to, however I am going to wait until this becomes available as all the delegations will be easier to manage/monitor.

hey the johal...we want to curate christian videos on dtube to spread the word of Christ on Dtube...if you delegate to us we will send you the dtube rewards and the curation rewards(we will be powering down for that)....It would be great because it's a really good cause...We would make one single video a day and we would vote ourselves...that would be our profit...All the best, and help us spreading the word of Jesus Christ. Thank you so much man....God bless you

Please message me via Discord chat @christianchannel and we can talk about further possibilities there.

Thank you

ok...did it....awaiting your reply...God bless you and All the best

I sent you a message via wallet...All the best and God Bless you

Hey @thejohalfiles what do you mean with full toolset? Is there something specific you waiting for?

@fabien I mean when will the website steemconnect.com become available for everyone to access and use steem connect?

SteemConnect is still in beta, but everyone can use it already. There will be a public release once Steemit Inc take over the project completely.

One question giving him so much attention lol. Work hard my friends, it will pay off

@thejohalfiles where can i ping you at?I would appreciate a conversation.

Discord is the best place to find me

hey @thejohalfiles i'm the founder of a new community on steem called @dlivestreamers i have some questions i would like to ask if possible? could you please add me on discord? chigz#1148 https://discord.gg/8vhEg8

Okay. And the discord ID. Thanks

Hello my dear @thejohalfiles this another art work and gift but this time i toke my abilities to a higher and professional level just to make you satisfied at 100%. You satisfaction means a lot to me so hope like it. https://steemit.com/@soufianechakrouf/another-drawing-for-thejohalfiles

Hello, please check out @atimk23 and follow if you like some contents.. Don’t hesitate to upvote. Have a nice day!

Hei nice thinking!
I wanna invite you to read
my short stories (essays),
thank you 😊

Hi LOVE YOUR POST MAN!!! LIKE MY POST TOO!!!!! HERE IS THE LINK: https://steemit.com/bots/@abusereports/last-minute-upvote-list-2018-05-02

Neither SteemConnect nor Utopian have access to any of your keys.

But they have access to the account to which you delegated your full posting authority (via the ability to create 'tokens' that can upvote/post for you), so it's exactly the same as them having your posting key. Hence what happened today.

It's more safe for an app to handle tokens than handle your private key. Tokens expire after 7 days or when user revoke it and give only a scoped permission to do some operation. A token may allow only 'vote' for example.

Apps (server side) don't need to handle keys or tokens at all. Everything can be done client side like it's done on dtube and steemit. It works really well this way. Nobody ever gets your key, you don't need to delegate any authority to anyone.

You actually introduce security holes that didn't exist before SteemConnect, so calling it more secure it a total joke.

Only good point for SteemConnect is that it makes it easy for noob developers to start creating something on steem, without having to code a proper key storage and verification system for their apps.

There is 2 differents ways. Both have advantages and downsides.

Everything can be done client side like it's done on dtube and steemit

Not everything, for example you canot do scheduled post on client side.

You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.

You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.

Nobody ever gets your key, you don't need to delegate any authority to anyone.

The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an access_token which expire after 7 days or get manually revoked but users keys are not exposed.

Thank you for information @fabien

May you always succeed in helping others

First you say client side do not need key handling, then you say they should code a proper key storage ...
Isn't it contradictory ?

I didn't say we shouldn't handle key client-side, that's the opposite of what I think. I said that apps don't need their users key to do their server-side stuff. All transactions should happen client-side, in the browser, on the actual user pc. So yes, UIs need a proper way to store keys and verify them on the blockchain. That's what DTube and SteemIt does. That's hard so that's why so many app developers use SteemConnect because it abstracts all that away.

It really depends on a purpose of the app. For an interface like Steemit or DTube there is no need to store keys on the server side nor access tokens. But there are certain types of apps that need that, and as far as I know, it is way more secure to store OAuth2 tokens than private keys.

I'm glad you guys clarify what really happened and why SteemConnect is still to be trusted. I'm not seeing that from Utopian. They seem to focus more on damage control and blaming the hacker. In the end it was their security which proved insufficient. I don't want to play blame games, but when security is involved straightforward honesty is what works best. It's a pity SteemConnect has been blamed incorrectly.

I believe I may be the cause for believing we claim SC2 was to blame. While we did encounter an issue with not being able to revoke the tokens, we shouldn't have leaked them in the first place. Steem Connect was not, in any way, to blame for this leak.

This was my stance alone and did not represent Utopian-io as a company. I apologize for causing misinformation.

No, not at all. I was already getting information from other sources. You see, this is just what happens when people go in panic mode. The incomplete news spread too fas and became FUD. Crisis communication is an art in itself, we can't expect that to come from a bunch of enthusiasts. It's a pity this communication has to be made. If everything went perfect it wouldn't have been necessary.

I repeat: "I don't want to play blame games" ;-)

May you always succeed in helping others

@jefpatat SteemConnect was never blamed. Totally the opposite. You have evidences in Discord and in this post https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised.

@elear Maybe I worded my comment incorrectly. Please not I explicitely mentioned 'I don't want to play blame games'. You know I value you and Utopian. I was there to help at the very start, remember? Before the official announcement came there was a lot of FUD going around, both on Discord and in steem blog posts. It was not clear if the issue was with one of the apps that use SteemConnect or if the issue was with SteemConnect itself. All over the place it was advised to revoke all tokens, not only for Utopian. So, I didn't imply to say SteemConnect was directly blamed by you guys but it got a lot of negative publicity. That's most probably the very reason for this post. In the meantime your post has been updated to refer to this post.

SteemConnect is something very important to the ecosystem and there was no (big) issue with it. At the time of writing I missed some emphasis on this. But then again, you are correct you shouldn't emphasize on negative publicity for SteemConnect if you didn't initiate it yourself.

I would never harm SteemConnect or Busy even by mistake. They have been a great help for us. There was uncertainty and people made guesses. I made sure the post removed any chance for users to guess the problem was SC.

The save button on the https://v2.steemconnect.com/apps/@steemhost.app/edit
page does not work. Is there a tech support for steemconnect?

thank you so much for this update , i understund now wat happend

why you don't upvote my blog until last month....??

Please Stop - @jackjami

You just said "vote my" and in your your last 100 comments you used 36 phrases considered to be spam and you made this exact same comment 1 times. You've received 0 flags and you may see more on comments like these. These comments are the reason why your Steem Sincerity API classification scores are Spam: 55.40% and Bot: 2.60%

Please stop making comments like this and read the ways to avoid @pleasestop and earn the support of the community.

thanks for your good information..

Nice information Regarding hack

@busy.org we are not satisfied with your explain...what arent you telling us...some of us are in panic and want to feel at least relieve...

What isn't clear enough about what they said here up ?
Isn't it cristal clear ?
Panic about what exactly ? Wallets are safe !

Esteemed, thanks for the heads up.