peercoin address changed, hack ? #30

Closed
mark-bl opened this Issue Mar 4, 2014 · 7 comments

Comments

Projects
None yet
4 participants

mark-bl commented Mar 4, 2014

Somehow the my peercoin address on peer4commit changed to:
PFLLNgwQBie3G4iyad25JQEbAwv4Xfn2kn

I have no idea where that address came from.

also @tip4commit
my btc address changed to :
1PNHEbchuhL9xRny5nQeWQ1Bwwa3d5jPUv

I have no idea what that address is.

Do you have logs or something like that to check this out?

Looks like a hack unless you own 6 accounts at tip4commit.com.

I have stopped BitcoinTipper.work until we investigate the issue. Thanks for reporting!

Owner

sigmike commented Mar 4, 2014

I have also disabled the worker and I'm trying to figure out how it happened.

Owner

sigmike commented Mar 4, 2014

Ok I think I fixed the problem.
Github has 2 email data: the verified email list and the "public email", which is basically a text field where you can put anything.
The omniauth-github gem gave us the last one. So anyone could put the email of someone else in the public email, and login as him.
I'm not sure, but it may happen only when you don't have any verified email.

So I changed omniauth-github to make it send the whole list of (verified) emails. Now the user lookup is made from these emails.
The changes are there:

I cleared all the peercoin addresses after I deployed the patch. So all users will have to set it again.

mark-bl commented Mar 4, 2014

Thank you for the fix!

Unfortunately it doesn't solve the problem. It's still possible to sign in without any verified email address. I am turning off GitHub authorization until we solve the issue.

Owner

sigmike commented Mar 5, 2014

When I tried GitHub didn't include my non verified email in the list. It was a new account, so it may be different.

sigmike closed this in #31 Mar 5, 2014

Owner

sigmike commented Mar 5, 2014

I cleared all user addresses again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment