Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate on unauthorised access #621

Closed
JixunMoe opened this issue Jul 16, 2019 · 9 comments

Comments

@JixunMoe
Copy link
Contributor

commented Jul 16, 2019

One of the library script I created back in 2014 was infected with malicious script on 13th May 2019 to harvest private key of dash wallet.

Changes to my script can be found at: https://greasyfork.org/scripts/6696/versions .
It was not a hit-and-go, but constantly updated between May and July of 2019. I consider this as my account has been compromised.

An interesting finding, the script in question was a dependency of a more popular script I wrote but stopped maintainance back in 2017. This incident could've been prevented if I did version lock (well, I did not care about dependency breakages at that time) or just embed it. Maybe we can add a rule to require a valid version lock when referencing raw scripts on GreasyFork (or disallow access to raw code without a valid version tag? But this could be a breaking change.)

I would also suggest to have email notifications for people to opt-in, allowing them to discover similar incidents early in the future (login, script add/edit/delete/sync etc.).

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

The script references the script in question does not run on mydashwallet.org. My theory regarding dependecy infection does not hold true, but it would be good to enforce version lock.

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Warning 2019-07-12: Dash Core has reported a vulnerability on an external library, which was not used anymore and is now completely removed, plus we changed the secure algorithm that runs locally. The external site serving CryptoJS scripts was compromised back in May 13th and has fixed this issue now. Currently we can't reproduce the issue on any tested device (Chrome, Firefox, Edge, Android, iOS), but some users report that they could still see the hacked script a few hours ago. This issue doesn't affect other bots (twitter, telegram, discord or reddit account balances) or services (mixing, etc.).
https://mydashwallet.org/ (snapshot in web.archive.org)

I'm not entirely sure why they are referencing scripts from GreasyFork... GreasyFork is not a CDN.

Source: DeltaEngine/MyDashWallet/Views/Home/Index.cshtml#L13 (snapshot in web.archive.org)

Wild guess: Someone discovered a script referenced here, and somehow gained access to modify the script.

@JasonBarnabe

This comment has been minimized.

Copy link
Owner

commented Jul 17, 2019

I don't have logs from back then, but I saw that recently access to your account was done via Tor nodes and using a username and password (as opposed to a Google login or otherwise).

This incident could've been prevented if I did version lock (well, I did not care about dependency breakages at that time) or just embed it.

As far as serving up bad stuff as user scripts, this wouldn't help, as they could just update the script directly. What might help is additional security on log in, for example requiring 2FA to post scripts.

I have no idea why they were referencing the script on Greasy Fork. Filed DeltaEngine/MyDashWallet#2

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

recently access to your account was done via Tor nodes and using a username and password (as opposed to a Google login or otherwise).

Something wrong here. I have removed login method via password a long time ago. Actually I can't remember... I'll just set a complex one. I have looked my saved password, and it was one that was leaked from somewhere else. That must've been my fault for not reset it.

I'll setup a random generated password in the mean while.

@JasonBarnabe

This comment has been minimized.

Copy link
Owner

commented Jul 17, 2019

I removed the password from your account when I noticed the problem, but it had been set since at least January of this year.

Having no password is fine,and probably better than having one set that you don't use.

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

Weird, I don't recall setting my password since registration (ant just now, but I removed it). I mainly login via GitHub.

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

I'll just keep my Login via Google, since I have 2FA enabled. Might as well enable it for GitHub.

@JasonBarnabe

This comment has been minimized.

Copy link
Owner

commented Jul 17, 2019

You must have registered with a password since that was the only option then. Afterwards, even if you added Google or another auth provider, the password stays unless you remove it.

@JixunMoe

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

That's probably it. I somehow thought I turned it off.

I did a reset of many passwords (as an action suggested by lastpass) few month ago but missed this site.

Script deleted I'll just let it be deleted, since those scripts I don't maintain anymore.

@JixunMoe JixunMoe closed this Jul 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.