>Thus, users of EtherDelta must enter their public wallet address and private key when using the site, meaning their private key could be captured from the browser session by a malicious code injection.
This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.
Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
(Persistent XSS actually, but exploited similarly to a reflected XSS vulnerability because you have to send a specific link to your victims. It has a much higher exploitation success chance than reflected XSS since pesky browser XSS auditors won't be able to step in.)
> I want to make one point clear: I believe that EtherDelta, in concept, is safer and more “trustworthy” than a traditional exchange. Everything about how EtherDelta functions is transparent and verifiable by users.... The attack detailed in this piece could have been identified by anyone before it was exploited, and if there had been a security review protocol in place, it would have been easily prevented.
Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
This blows my mind. These programmers can implement quite complex contacts-financial-exchanges on top of a quite complex distributed system, but then fail to sanitize user input in their web interface. It makes no sense.
I read the headline and my immediate guess was cryptocurrency. I clicked and, sure enough, there it was.
Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?
At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.
If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.
Good luck, folks. I'm still going to maintain the wait-and-see approach.
> Maybe requiring some human interaction is a good idea?
What's the fun in that?
Did Samy say "Maybe I should ask the user if they want to friend me"? NO! He said "People want to friend me" and "LOL MYSPACE XSS", then became the most popular person on the network overnight.
The story is almost like the 2008 time where wall street wiz kids package the mortgages to special mortgages back securities/contacts and resell them over and over again to banks, mutual funds, etc.
Hugh hype was created.
Last time: It was safe because it was back by mortgage.
This time: It is safe because it is back by crypto algorithm.
Last time few smart insiders got billions richer and unload everything before the bubble burst.
And the time ......
(Love to see all imaginable endings to this time's story - good or bad)
There are two problems. First, when writing a contract every line you write might be a potential avenue for an attack. Second, the language (Solidity) and the parsing of the bytecode (EVM) don't help.
If you look at the kind of attacks that happen I feel like two major problems came from the fact that addresses can be real account addresses or contracts (it could have been good to segregate them) and errors/exceptions don't propagate well.
If you use EtherDelta through MetaMask or Mist, then EtherDelta doesn't have direct access to your private keys, and you're given a prompt outside of EtherDelta's control to confirm any action you take, so you're much less vulnerable to malicious behavior from the EtherDelta admin.
This linked to an 'unlisted' token (a token which doesn't have enough recognition to be 'officially listed' on Etherdelta, and thus doesn't have its own ticker symbol), which the vast majority of token buyers have no interest in, so there's no chance that many people were interested in purchasing it, let alone through Etherdelta (which still has very little volume relative to centralized exchanges).
[+] [-] meowface|8 years ago|reply
This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.
Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
[+] [-] meowface|8 years ago|reply
[+] [-] AgentME|8 years ago|reply
Google has a good introduction to using them here: https://csp.withgoogle.com/
[+] [-] codedokode|8 years ago|reply
[+] [-] jdp23|8 years ago|reply
Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] imaginenore|8 years ago|reply
[+] [-] KGIII|8 years ago|reply
Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?
At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.
If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.
Good luck, folks. I'm still going to maintain the wait-and-see approach.
[+] [-] thephyber|8 years ago|reply
What's the fun in that?
Did Samy say "Maybe I should ask the user if they want to friend me"? NO! He said "People want to friend me" and "LOL MYSPACE XSS", then became the most popular person on the network overnight.
After Tom, of course, who cheated.
[+] [-] srcmap|8 years ago|reply
Hugh hype was created.
Last time: It was safe because it was back by mortgage.
This time: It is safe because it is back by crypto algorithm.
Last time few smart insiders got billions richer and unload everything before the bubble burst.
And the time ...... (Love to see all imaginable endings to this time's story - good or bad)
[+] [-] davewritescode|8 years ago|reply
[+] [-] baby|8 years ago|reply
If you look at the kind of attacks that happen I feel like two major problems came from the fact that addresses can be real account addresses or contracts (it could have been good to segregate them) and errors/exceptions don't propagate well.
[+] [-] thephyber|8 years ago|reply
[+] [-] foota|8 years ago|reply
[+] [-] AgentME|8 years ago|reply
[+] [-] chroem-|8 years ago|reply
The article is out of date. People are saying the amount is now $6 billion.
[+] [-] CryptoPunk|8 years ago|reply
[+] [-] thephyber|8 years ago|reply
> Which as of this writing, has over $130,000 worth of Ethereum and over 88,000 transactions.
[1] https://medium.com/@decktonic/following-the-trail-what-we-kn...
[+] [-] RcouF1uZ4gsC|8 years ago|reply
[+] [-] trophycase|8 years ago|reply
[+] [-] recursive|8 years ago|reply
[deleted]