Today at 13:00 UTC what looked like a massive automated vote occurred on Steem. The SteemConnect API received a lot of requests to upvote and downvote the following posts without user approval:
- https://steemit.com/bitcoin/@haejin/bitcoin-btc-evening-update-short-term-jives-with-the-longer-term
- https://steemit.com/bitshares/@haejin/bitshares-bts-updated-price-indicator-pattern-and-waves
- https://steemit.com/homesteading/@adetanlus/benefits-of-papaya-flowers-for-health-what-you-need-to-know-2049affee5108
- https://steemit.com/photography/@zulkifli123/flower-beautiful-3513d9afa3893
- https://steemit.com/philippines/@sabeboo83/anyideaswhattopairwiththisimthinkingofmakingawhiteandbluedeck-k558xwa4dm
We can see from the SteemConnect logs that a malicious actor used Utopian privileges to broadcast votes for users. If you have delegated posting authority to the @utopian.app you may want check your posting/voting history to see if your account has been affected. If that is the case, then we recommend that you undo your votes.
To check your history, go https://steemd.com/@fabien (change @fabien with your username)
We’ve disabled the app @utopian.app and revoked all the access tokens on SteemConnect while this issue is being resolved. Utopian team helped us to identify early the abuse and the SteemConnect server logs clearly show that the requests were not from Utopian servers IPs but from an external actor.
What happened?
Utopian asks for “offline access” when using SteemConnect, this gives the Utopian app the ability to issue an access token for its users anytime with what we call “refresh token”. It’s a common use in the OAuth 2 standard. It seems that someone got access to Utopian’s database with stored refresh tokens. These refresh tokens were used to generate new access tokens and broadcast votes for these accounts. If your account has been affected you most likely were giving offline access to Utopian.
Has SteemConnect been hacked?
No. Someone malicious sent requests to the SteemConnect API using Utopian’s refresh tokens but does not have direct access to the SteemConnect server.
My account upvoted some posts without my approval, my keys are safe?
Neither SteemConnect nor Utopian have access to any of your keys. SteemConnect API is using posting authority delegation to broadcast posting operations for you. The operations are signed by the @steemconnect account but not using your own keys. You are not giving SteemConnect your keys but only the permission to use your account.
We are still investigating this issue and will give you another update when we have.
Edit: You can read Utopian related post here: https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised
Here the information about the hack https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised
Thanks you master @elear👍👍
thank you too--
Nice usage of utopian.tip ...
Was just a way to get it to the top @jefpatat. Do u really think I am interested in few SBDs?
Second highest comment is heimin's 1.26.
Did I say that?
@busy.org When will the full toolset at https://steemconnect.com/ become available to use? I currently have a list of projects I want to delegate to, however I am going to wait until this becomes available as all the delegations will be easier to manage/monitor.
hey the johal...we want to curate christian videos on dtube to spread the word of Christ on Dtube...if you delegate to us we will send you the dtube rewards and the curation rewards(we will be powering down for that)....It would be great because it's a really good cause...We would make one single video a day and we would vote ourselves...that would be our profit...All the best, and help us spreading the word of Jesus Christ. Thank you so much man....God bless you
Please message me via Discord chat @christianchannel and we can talk about further possibilities there.
Thank you
ok...did it....awaiting your reply...God bless you and All the best
I sent you a message via wallet...All the best and God Bless you
Hey @thejohalfiles what do you mean with full toolset? Is there something specific you waiting for?
@fabien I mean when will the website steemconnect.com become available for everyone to access and use steem connect?
SteemConnect is still in beta, but everyone can use it already. There will be a public release once Steemit Inc take over the project completely.
One question giving him so much attention lol. Work hard my friends, it will pay off
@thejohalfiles where can i ping you at?I would appreciate a conversation.
Discord is the best place to find me
hey @thejohalfiles i'm the founder of a new community on steem called @dlivestreamers i have some questions i would like to ask if possible? could you please add me on discord? chigz#1148 https://discord.gg/8vhEg8
Okay. And the discord ID. Thanks
:)
Hello my dear @thejohalfiles this another art work and gift but this time i toke my abilities to a higher and professional level just to make you satisfied at 100%. You satisfaction means a lot to me so hope like it. https://steemit.com/@soufianechakrouf/another-drawing-for-thejohalfiles
Hello, please check out @atimk23 and follow if you like some contents.. Don’t hesitate to upvote. Have a nice day!
I wanna invite you to read
my short stories (essays),
thank you 😊
The save button on the https://v2.steemconnect.com/apps/@steemhost.app/edit
page does not work. Is there a tech support for steemconnect?
thank you so much for this update , i understund now wat happend
why you don't upvote my blog until last month....??
Please Stop - @jackjami
You just said "vote my" and in your your last 100 comments you used 36 phrases considered to be spam and you made this exact same comment 1 times. You've received 0 flags and you may see more on comments like these. These comments are the reason why your Steem Sincerity API classification scores are Spam: 55.40% and Bot: 2.60%
Please stop making comments like this and read the ways to avoid @pleasestop and earn the support of the community.
thanks for your good information..
We should maintain the clean atmosphere of this community
Thank you master, I just use busy.org. I just believe busy.
This awareness spreading post is really appreciable because it will help to the Steemians to stay vigilant and to keep more analytical vision towards the process because everyone's contribution is really important to keep the platform user friendly. Keep doing the great work. 🙂
May you always succeed in helping others
@busy.org we are not satisfied with your explain...what arent you telling us...some of us are in panic and want to feel at least relieve...
What isn't clear enough about what they said here up ?
Isn't it cristal clear ?
Panic about what exactly ? Wallets are safe !
Esteemed, thanks for the heads up.
Good information for us
Thank you for information. I resteemed this post.
May you always succeed in helping others
Thank you.
Same repetitive comment of fsl
I am writing various comments.
Not you but @fsl
I see.
When coins got hacked they lose millions $
But on Steem you lose votes. ;)
Thanks you master @busy.org
Thanks you master @busy.org
Thank you for contributing to the platform and thanks for encouraging me who are those minnows to go ahead on the platform , thanks again and wish the platform will be better and better .
Oh, it's so sad that the attackers are able to do this. I am amazed at their great mental abilities. If such strong minds are put on the right track, who knows how far progress would have stepped. It is a pity that the scammers spend their potential for criminal and dishonest fraud.
That's what scammer are and it's what they do. I pity the victims more.
this is so great. you got the great point here
I love your pos I like your work, thanks for the update
Oh, what about those who keep following then unfollowing even if we mute the person they just keep appearing in our notifications which is annoying tbh.
perfect, I am happy with successful people like you thank for the help ... good will always be replied with goodness !!!
Thank you for your information @busy.org
Congratulations @busy.org! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last announcement from @steemitboard!
Hi, i have been using busy.org to post articles but i never receive an upvote from busy.org bot. My total follower vest is 141335117. Can you please tell me what i am doing wrong
Congratulations @busy.org! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last post from @steemitboard!
Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes
Congratulations @busy.org! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Quarter Finals - Day 2
Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes
Congratulations @busy.org! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The results, the winners and the prizes
very slow follows system..
Congratulations @busy.org! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOP
Test
May you always succeed in helping others
I want to ask you, whether to use a quick post without using photos.
It's more safe for an app to handle tokens than handle your private key. Tokens expire after 7 days or when user revoke it and give only a scoped permission to do some operation. A token may allow only 'vote' for example.
I'm glad you guys clarify what really happened and why SteemConnect is still to be trusted. I'm not seeing that from Utopian. They seem to focus more on damage control and blaming the hacker. In the end it was their security which proved insufficient. I don't want to play blame games, but when security is involved straightforward honesty is what works best. It's a pity SteemConnect has been blamed incorrectly.
I believe I may be the cause for believing we claim SC2 was to blame. While we did encounter an issue with not being able to revoke the tokens, we shouldn't have leaked them in the first place. Steem Connect was not, in any way, to blame for this leak.
This was my stance alone and did not represent Utopian-io as a company. I apologize for causing misinformation.
No, not at all. I was already getting information from other sources. You see, this is just what happens when people go in panic mode. The incomplete news spread too fas and became FUD. Crisis communication is an art in itself, we can't expect that to come from a bunch of enthusiasts. It's a pity this communication has to be made. If everything went perfect it wouldn't have been necessary.
I repeat: "I don't want to play blame games" ;-)
May you always succeed in helping others
@jefpatat SteemConnect was never blamed. Totally the opposite. You have evidences in Discord and in this post https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised.
@elear Maybe I worded my comment incorrectly. Please not I explicitely mentioned 'I don't want to play blame games'. You know I value you and Utopian. I was there to help at the very start, remember? Before the official announcement came there was a lot of FUD going around, both on Discord and in steem blog posts. It was not clear if the issue was with one of the apps that use SteemConnect or if the issue was with SteemConnect itself. All over the place it was advised to revoke all tokens, not only for Utopian. So, I didn't imply to say SteemConnect was directly blamed by you guys but it got a lot of negative publicity. That's most probably the very reason for this post. In the meantime your post has been updated to refer to this post.
SteemConnect is something very important to the ecosystem and there was no (big) issue with it. At the time of writing I missed some emphasis on this. But then again, you are correct you shouldn't emphasize on negative publicity for SteemConnect if you didn't initiate it yourself.
I would never harm SteemConnect or Busy even by mistake. They have been a great help for us. There was uncertainty and people made guesses. I made sure the post removed any chance for users to guess the problem was SC.
There is 2 differents ways. Both have advantages and downsides.
Not everything, for example you canot do scheduled post on client side.
You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.
You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.
The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an
access_token
which expire after 7 days or get manually revoked but users keys are not exposed.May you always succeed in helping others
First you say client side do not need key handling, then you say they should code a proper key storage ...
Isn't it contradictory ?
It really depends on a purpose of the app. For an interface like Steemit or DTube there is no need to store keys on the server side nor access tokens. But there are certain types of apps that need that, and as far as I know, it is way more secure to store OAuth2 tokens than private keys.