Open Phoenix202020 opened 3 years ago
This is an issue with steemit/faucet, not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.
Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there.
If not, what purpose does it fulfill?
On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb @.***> wrote:
This is an issue with steemit/faucet https://github.com/steemit/faucet, not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876847505, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA .
@Phoenix202020 You cannot login with a email. You must use a username to sign in. Your email is only used during sign up. You'd only be doing yourself a disservice by signing up with a email you don't control -- the email you provide is only used for the signup process and for account recovery.
I agree with smitty regarding the login, though I will re-check your findings.
Thank you, Emil
KING.NET https://king.net/ Data is Everything. Email: EM@KING.NET Twitter: @KINGnet @.> Certified: CISSP, CISM, CEH, CASP, CDPSE, Security+, MCSE, MCSA, MCP, CMMC-RP*
QUE.com http://que.com/ Artificial Intelligence, Machine Learning, Robotics, Cyber Security Yehey.com https://yehey.com/ a Shout for Joy - Let's discover the world of wonder. MAJ.COM https://maj.com/ Management of Assets and Joint Ventures SwapToken.com https://swaptoken.com/ - Gateway to Blockchain Crypto Currencies.
Acknowledgement.com https://acknowledgement.com/ - Word of Wisdom
On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 @.***> wrote:
Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there.
If not, what purpose does it fulfill?
On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb @.***> wrote:
This is an issue with steemit/faucet <https://github.com/steemit/faucet , not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876847505, or unsubscribe < https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876869343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA .
Hi guys,Did you test it? I have found one more bug, to be more specific an IDOR which is leaking sensitive information.
On Fri, 9 Jul 2021 at 5:55 PM, EM @YEHEY @.***> wrote:
I agree with smitty regarding the login, though I will re-check your findings.
Thank you, Emil
KING.NET https://king.net/ Data is Everything. Email: EM@KING.NET Twitter: @KINGnet @.> Certified: CISSP, CISM, CEH, CASP, CDPSE, Security+, MCSE, MCSA, MCP, CMMC-RP*
QUE.com http://que.com/ Artificial Intelligence, Machine Learning, Robotics, Cyber Security Yehey.com https://yehey.com/ a Shout for Joy - Let's discover the world of wonder. MAJ.COM https://maj.com/ Management of Assets and Joint Ventures SwapToken.com https://swaptoken.com/ - Gateway to Blockchain Crypto Currencies.
Whoever pursues righteousness and love finds life, prosperity and honor. Proverbs 21:21
[PROPRIETARY AND CONFIDENTIAL] The information contained within this email (including any attachments) is considered confidential information intended only for the use of the individual or entity named. If the reader of the message is not the intended recipient, you are hereby notified that any unauthorized review, copy, disclosure, or distribution of this communication is strictly prohibited. If you received this email message in error, please immediately notify the sender by reply email and delete this message, and any attachments from your system. Thank you for your cooperation.
Acknowledgement.com https://acknowledgement.com/ - Word of Wisdom
On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 @.***> wrote:
Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there.
If not, what purpose does it fulfill?
On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb @.***> wrote:
This is an issue with steemit/faucet < https://github.com/steemit/faucet , not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876847505, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876869343, or unsubscribe < https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA
.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-877165686, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA .
What other sensitive information did you discover? Most of it is public anyway. Care to share a video with me?
Thank you, Emil
KING.NET https://king.net/ Data is Everything. Email: EM@KING.NET Twitter: @KINGnet @.> Certified: CISSP, CISM, CEH, CASP, CDPSE, Security+, MCSE, MCSA, MCP, CMMC-RP*
QUE.com http://que.com/ Artificial Intelligence, Machine Learning, Robotics, Cyber Security Yehey.com https://yehey.com/ a Shout for Joy - Let's discover the world of wonder. MAJ.COM https://maj.com/ Management of Assets and Joint Ventures SwapToken.com https://swaptoken.com/ - Gateway to Blockchain Crypto Currencies.
Acknowledgement.com https://acknowledgement.com/ - Word of Wisdom
On Sat, Jul 10, 2021 at 10:28 PM Phoenix202020 @.***> wrote:
Hi guys,Did you test it? I have found one more bug, to be more specific an IDOR which is leaking sensitive information.
On Fri, 9 Jul 2021 at 5:55 PM, EM @YEHEY @.***> wrote:
I agree with smitty regarding the login, though I will re-check your findings.
Thank you, Emil
KING.NET https://king.net/ Data is Everything. Email: EM@KING.NET Twitter: @KINGnet @.> Certified: CISSP, CISM, CEH, CASP, CDPSE, Security+, MCSE, MCSA, MCP, CMMC-RP*
QUE.com http://que.com/ Artificial Intelligence, Machine Learning, Robotics, Cyber Security Yehey.com https://yehey.com/ a Shout for Joy - Let's discover the world of wonder. MAJ.COM https://maj.com/ Management of Assets and Joint Ventures SwapToken.com https://swaptoken.com/ - Gateway to Blockchain Crypto Currencies.
Whoever pursues righteousness and love finds life, prosperity and honor. Proverbs 21:21
[PROPRIETARY AND CONFIDENTIAL] The information contained within this email (including any attachments) is considered confidential information intended only for the use of the individual or entity named. If the reader of the message is not the intended recipient, you are hereby notified that any unauthorized review, copy, disclosure, or distribution of this communication is strictly prohibited. If you received this email message in error, please immediately notify the sender by reply email and delete this message, and any attachments from your system. Thank you for your cooperation.
Acknowledgement.com https://acknowledgement.com/ - Word of Wisdom
On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 @.***> wrote:
Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there.
If not, what purpose does it fulfill?
On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb @.***> wrote:
This is an issue with steemit/faucet < https://github.com/steemit/faucet , not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/steemit/steem/issues/3667#issuecomment-876847505 , or unsubscribe <
https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-876869343, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA
.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-877165686, or unsubscribe < https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/steemit/steem/issues/3667#issuecomment-877731153, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABT24TIF74MR2VIXGJUETO3TXD6VHANCNFSM5ABXHOJA .
can you share you email with me? I will attach the video in the email.
any updates on this?
@KINGdotNET
Give it up mate steemit inc is completely compromised. Consider this project abandoned
Weakness: Violation of Secure Design Principles
Severity: Medium
Vulnerable Host: steemit.com
Summary:
I was able to Bypass the 2FA verification code through bruteforcing the code.Thus, It could be misused by an attacker to misuse other emails of your customers/users and bruteforce the verification code.
Video POC:
https://drive.google.com/file/d/1qxHfRTh0kAq0bkSsx2wVDVB3-8ze-nC8/view?usp=sharing
Impact:
Emails can be misused and the email verification code can be bypassed.
Looking forward to hear from you soon and to report further.