Xem got stolen from private key wallet

memario · July 12, 2017, 11:05am

I might be missing something but…

Local storage is domain specific. I’d argue that it’s not as easy to exploit in the wild when you don’t have everything running locally.
If you have nanowallet open and go to https://someothersite.com, the js on that website will not be able to access localstorage of nanowallet because it is on a different domain.
So XSS being involved makes a lot more sense, though I’m not sure how they would have pulled that off. To me this looks like they were targeting nanowallet specifically since it’s unlikely that some generic XSS that happens to be reading local storage happens to be operated by people who know what they got their hands on. If it is targeted it is likely a site that nanowallet users are likely to visit with nanowallet open though I in no way want to accuse anyone (if we have all the possible websites it’ll be relatively trivial to figure out which one it was).

All in all everyone can put their panties back on. Local storage is not in and of itself insecure plus a strong password seemingly would have mitigated this attack entirely.

nempathic · July 12, 2017, 11:18am

That’s what I think as well… I still have to reconstruct the possible sites that I have visited. I might find something. But if I were the attacker, I would probably start out with domain names similar to the official Nem sites. That way the chances are high that, by a mistype in the address bar, the victim visits that site with an open wlt-file in their local storage.

I will still try to evaluate the NanoWallet code and look for that XSS vulnerability. Maybe an unsafe evaluated JSON.

memario · July 12, 2017, 11:19am

I’d run an ico and give 10% bonus to all XEM investors and tell them to only use nanowallet
I’m not making a serious allegation here, I’m just joking. I doubt it’s dimcoin.

rajc · July 12, 2017, 1:01pm

My wallet pass should slow them down a bit, at least 10000 years:D

nempathic · July 12, 2017, 1:43pm

It must be at least as secure as the private key, to not pose an additional security threat to your wallet.

sheld0r · July 12, 2017, 1:50pm

Hmm but the new 1.4.0 standalone version shouldn’t have that ‘vulnerability’?

jabo38 · July 12, 2017, 2:12pm

I asked QM to look into this. He told me that the wallet was created with a brainphrase “12345q” which a bot can scan for and then clean the account.

So the wallet wasn’t compromised, nor the server, no the computer. The account was made with a brainphrase that is very easy for a hacker to brute force.

Remember, you brainphrase = your private key. Please use very long pass phrases when making a pass phrase wallet.

also, we all feel for your loss. we hope that somebody else can learn from this thread and be safer.

Quantum_Mechanics · July 12, 2017, 2:12pm

Hi,

There is no known vulnerability in Nano Wallet and I don’t think it is possible to access the local storage content remotely.

The wallet created in this case was a brain wallet with a weak password, that is the problem.

There is people that scan for weak brain wallet and you got unlucky

sheld0r · July 12, 2017, 2:28pm

Thanks for the clarification.

Saul · July 12, 2017, 2:58pm

The loss of XEM has been determined to be user error, I am going to close this topic. It is solved.

Saul · July 12, 2017, 2:58pm

mizunashi · October 6, 2017, 1:25pm

ReOpen for Refund

mizunashi · October 6, 2017, 1:12pm

Make the topic temporarily OPEN.

@nempathic

I succeeded in obtaining 1000 XEM from a hacker who stole your money.
We process refunds preferentially from people who have stolen from the same hacker.

You have been selected for that time.
If you wish to refund 1000 XEM, please write here.

When I can confirm the writing, I will send PM for personal authentication.

In addition, please prepare new account with simple wallet as preparation in advance.

Thank you.

nempathic · October 9, 2017, 10:23am

Oh wow!
I can’t say how surprised I am. I’m very grateful for this.
I am using a new wallet, which has been created with the Simple Wallet function. I already used it before to save some Xem from my hacked wallet before the attacker got the chance to transfer it as well. Those Xem came from a scheduled Buy from LiteBit.eu, delayed due to giropay option, that was my luck.

This new wallet address is:
NBGHKJ-WWEL76-BO3NXO-F5ALYX-22YBZP-PO4MCV-IXV6

Please state any requirements for authentication via PM as you mentioned. Thank you again!!

mizunashi · October 9, 2017, 3:17pm

Considering that account of your forum is being hijacked, I will PM the item of personal authentication from now.
Please wait for a while.

mizunashi · October 9, 2017, 4:20pm

@nempathic
Since approval was obtained, refund work will be started.
When xem arrives, please write.

mizunashi · October 9, 2017, 4:08pm

Hacking hash
http://chain.nem.ninja/#/transfer/8f962c0a72839e2371ccfa37ceef3e1b13cbd8f3f3556bfa99539a47b934579f

Refund hash (part of damage amount)
http://chain.nem.ninja/#/transfer/a797a0d82b0c7c048425e360b626b5e957d16b5d57963c936864f34de2c257e8

Thanks

nempathic · October 9, 2017, 6:53pm

Thank you so much! The refund arrived.
I’m very grateful. It is good to know that there are still a lot of good people at work, despite some truly dishonest thieves who can only steal hard earned money from others.

mizunashi · October 9, 2017, 7:02pm

Thank you for your reply. I was relieved.

We are doing warning work to people who use weak wallets, principals. This work must be done before a hacker steal the funds.
We will continue this effort in the future and hopefully we can save the funds of many people, I will do my best.

Thanks

nempathic · October 9, 2017, 7:05pm

@mizunashi Your effort is truly appreciated. I hope you can help many others as well!
A big thanks to everybody involved!