Slow fog security team warns:
If the #EOS wallet developer doesn't judge node confirmation strictly, such as at least 15 confirmation nodes, to tell the user that the account creation is successful, false account attacks may occur.
The attacks are as follows:
- The user uses an #EOSwallet to register an account (e.g.aaaabbbbcccc" ) and the wallet prompts to register successfully. However, due to the laxness of the judgment, the account is essentially one that has not yet been registered successfully
- Users immediately take this account to an exchange to do cash operations
- If you do anything wrong in this process, you may take another number, aaaabbbbcccc plc, which causes the user to withdraw money into an account that is no longer his own account
Defensive suggestions: poll the nodes, return irreversible block information and prompt success. the technical process is as follows:
- push_transaction will result in trx_id
- REQUEST INTERFACE POST /v1/history/get_transaction
- The return parameter, block_num, is not equal to last_irreversible_block, which is irreversible
Thanks:
Fire money, export threat intelligence
MORE.TOP Wallet, Export Defense Technical Details
Discussion on WTF Wallet Technology Working Group
to you All,
EOS 假账号安全风险预警,慢雾安全团队提醒:
如果 EOS 钱包开发者没对节点确认进行严格判断,比如应该至少判断 15 个确认节点才能告诉用户账号创建成功,那么就可能出现假账号攻击。
攻击示意如下:
- 用户使用某款 EOS 钱包注册账号(比如 aaaabbbbcccc),钱包提示注册成功,但由于判断不严格,这个账号本质是还没注册成功
- 用户立即拿这个账号去某交易所做提现操作
- 如果这个过程任意环节作恶,都可能再抢注 aaaabbbbcccc 这个账号,导致用户提现到一个已经不是自己账号的账号里
防御建议:轮询节点,返回不可逆区块信息再提示成功,具体技术过程如下:
- push_transaction 后会得到 trx_id
- 请求接口 POST /v1/history/get_transaction
- 返回参数中 block_num 小于等于 last_irreversible_block 即为不可逆
感谢:
火币,输出威胁情报
MORE.TOP钱包,输出防御技术细节
WTF 钱包技术工作组的探讨
If you have any questions, feel free to send us an email anytime.
If you like what we do and trust us, VOTE FOR US! Also, Feel free to send us your questions by email NOW!
Visit our Website or Follow us on Facebook, Telegram, Medium, SteemIt, Github, Meetup, Reddit, or Twitter NOW!