no, this was the standard Mozilla Firefox which comes with a live system of Linux mint 18.2.
No, I created my own address. I used the exchange LiteBit.eu to have it sent to my address mentioned above. (NDEBOG-2OE2D5-O6VMCO-HSV7IW-YTKEBY-REFS7R-FB5N)
I forgot: I also visited the Dim Ico site to get the Nem address for participating in the Ico. The one I sent my 1500 Xem to.
Something interesting has happenedā¦ o.O
take a look at this message the thieves account has sent me after he was done stealing the Xem and Dim Tokens and Coins.
653ed2bd12d710bc0d0ebf5a3149d5641b283f8a55c9ffaab4370844af84ab70
They spent 6 Xem just to give me the following message:
ŃŠ»Š¾Š²Š¾:12345q | Š”ŃŠµŃ:NDEBOG2OE2D5O6VMCOHSV7IWYTKEBYREFS7RFB5N | ŠŗŠ»ŃŃ:35d5e5ccc8cddfa7d4ec03064f1d6f073def802e5373dbda060ed273efb7
I ran the words through Google translate and they are Russian for: Word, Score, Key (respectively)
Now at least I know a bit more:
They probably stole my temporary .wlt file, which i didnāt give a strong enough password for because i just created it for a one time transaction and purged it afterwards right away.
This Was The Attackers Entrance
And yes, the private key is correctā¦
I will continue to research how it was possible for them to access the wlt-file from the local storage. This might be a significant security exploit.
Now everything comes together why they waited till Saturday to empty my account, because they probably needed that time to brute force crack the password of the temporary wlt-file. I created that file the Monday before to send Xem to the Dim Ico.
Thatās a nice way of saying āpwnedā for themā¦
PS: feel free to log into that wallet of mine since it is now open for everyoneā¦ what an ironyā¦
I will still have to confirm the exact way but this is a start for research:
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage
If i understand it correctly, local storage is not secure at all. more to comeā¦
I was a victim of cross site scripting XSSā¦
Can you explain how the attacker could get your wallet file then?
Did you use an unsafe computer? A computer where others could know you made a private key on it? Do you know who has access to the computer?
Why didnāt you made this account as multisig after you saw the first transaction? The private key would be nullified and you would gain all access to your account. Next time use multisignature account, I am personally using 2 of 3, with NanoWallet as main wallet, phone wallet as a 2FA and one paper wallet as a backup. If you would like to stay with NEM, I could help you with setiing it upā¦
I used a totally safe computer, since it was a live session of a Linux mint OS. No one had access to the private key, since i only printed it out and rebooted the live session.
They got hold of the wlt-file through XSS. That, I am sure of now. How else would they know the password if they didnāt brute force crack it.
So which site did you visit? You mentioned the DIMCOIN site but I hardly can imagine that they hacked that siteā¦ hmm
I planned to do this, but I had not enough time to set it up. work, family.
next time i will totally set up a multi signature account. thank you for offering your help with that. i will come back to you with a private message if i need help.
I try to recall that, because one of those sites did the XSS attack. Since it was a live season, I no longer have the browsers historyā¦ I will try to figure out which sites i visited and inspect all of them.
On the weekend, I will have time to also check the NanoWallet source to see if i can find the vulnerability.
Edit: I also donāt think that the Dim Coin site is responsible, but i will check them out nonetheless.
Well to be honest - you have a good concept with the live CD and so on but then you should be so consequent and use that only for creating wallets and nothing else. +_+
And as you see you should always used a proper password even if itās only temporary.
We had already a case where somebody had his very low-level-secure password brute-forced and lost 6M xemā¦
Yes this was my fault, I know. I didnāt browse the web while having my wallet open. All I did was to find out the wallet address for the DIM Ico. But I must have stumbled upon the malicious website in the process.
That sucksā¦ still, for me 5687 Xem was much moneyā¦
I will still try to find the vulnerability in the NanoWallet and the attackers website. Because everyone is at risk. If they have your wlt-file, they will try to crack it, no matter how good the password used.
Every hacked / lost xem hurts doesnāt matter how many.
As far as I know you can only crack (decrypt) a wlt file with the password. Which boils down to brute forcing the password or obviously utilizing a key logger.
Anyways I hope you might remember the malicious site. At least this is a warning for others not to do the same mistakes.
I hope so as wellā¦ I will keep you all updated!
If I see this correctly, other online services could extract variable values from the local storage, presuming they know the key value.
@Saul thought this might have some importanceā¦
r3n3 : there is a security fix pending, but the details of exploit havenāt yet been published, devs know a bit more, NEM Beta 0.6.91
We have played around a bit.
CHROME and SAFARI allow the following proof of vulnerability:
- Create the .HTML & .JS files below
- Run the .HTML in the browser which you use for NanoWallet
- See the contents of the LOCALSTORAGE displayed
- (Bruteforcing the symmetric encryption is another thing)
index.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Show Browser LocaStorage</title>
</head>
<body>
<pre id="result"></pre>
<script src="index.js"></script>
</body>
</html>
index.js
document.getElementById("result").innerHTML = JSON.stringify(localStorage);
If you feel your login password into your Nanowallet may be too weak (bruteforce-able) - it does not help to export the private key, and re-create a new wallet via āSign Upā in the Nanowallet.
This is because the old localstorage may already be stolen and worked on by brute-forcers.
Mitigation: Transfer your XEM to a new NEM ACCOUNT which resides in a secure wallet.
For some time, we may have to live with the fact that the browsersā localstorage is not āsecureā.
Greetings,
Rene - LuxTag powered by NEM
[Thanks to @musdom (Developer at LuxTag) ]
Can someone explain how anybody can steal the localstorage on ubuntu live?