🚨 Urgent: Bug Found on Steemit – Seeking Attention & Open for a Deal! 🚨
Hello Steemians I hope you are all well.
I have created a garden within Steemit through which we can create unlimited Steemit accounts, that is, without providing original verification.We can create an account without providing an OTP for phone number and without verifying email on Steemit's original signup page.
https://signup.steemit.com/
Such bugs are very dangerous and harmful to Steemit.I'll also do a little bit of a calculation of this below.
First of all, I want to explain how Steemit's signup page or backend works. If we learn it, we will find many such bugs that Steemit has not been able to fix yet.But I know that even about seven to eight months ago, I knew of many such errors, but the Steemit team, that is, whoever is handling it, has made many corrections, but they have not yet been able to completely fix the original problem, which still remains.
Yes, Steemit has done a great job by installing a Cloudflare on the Steemit sign-up page, but I want to say from my experience that there was no need to install such a Cloudflare on this page.
If the Steemit page is considered from a security perspective, then of course it is very secure. Even if CloudFlare is not installed on it, it is very difficult to perform a DDoS attack or any other such attack, that is, it is impossible. This is like what the TrustWallet Brute Force seeds pharce.
But the server running in the backend of this page or the authority that proves that this account should be created is very insecure.
The commands that run in the backend of Steemit sign-up are open source. If you look at it, they approve it in such a way that the server, after looking at the data, generates a token that contains the complete username or password data to create this account, and it is not impossible to manipulate or create that token, but rather a great favor.But this is also difficult to do, but not for a expert developer.
The token that I have given you in the picture is written inside this. This is the token on the basis of which the Steemit signup page creates the account, that is, it checks the data inside the Steemit server and generates this token. When the user clicks on the download keys, this token goes to the file in the backend from which this account is created. Yes, I would definitely like to say that it is impossible to access this file, but this token that goes to the file contains all the data inside this token, the username and password, that is, the complete data and the Steemit account is created from the reference of this token.@steemcurator01 and 02
I'm not saying that we can decode this code and find out the username or password. It is a temporary data and it is encrypted. Only the server can read it or the person who created this page can read it because he created the encrypted tool.
Yes, I can give a proof, but the code I have given or the token I have given, only those who are dopers, those who know how Steemit works, will understand. But for those who don't know, I can also give such a proof. I can create multiple accounts within a week and post from them. That is, it will be known that I know how to create multiple accounts.
I shared some backend code
First step
``POST /api/create_user_new HTTP/2
Host: signup.steemit.com
Cookie: _ga=GA1.1.567076001.1730286401; __ssid=824b213a0627e5812efb89e310b203f; _ga_VP20CR0E1K=GS1.1.1739780953.11.0.1739780953.0.0.0; _ga_5ELS7X2YN3=GS1.1.1740218986.14.1.1740219144.0.0.0
Content-Length: 1113
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-GB,en;q=0.9
Accept: application/json
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: https://signup.steemit.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://signup.steemit.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"recaptcha":"0.BSzt2dx7RQ7sRUy15fSjw52yxFFK6Z2LJA3CVctADnsLkScqGa7XdkZCEPFGnpzLqbzeItGlXm6ApCIa6ZNfTnzB1Jic5pMQFq9-cNFxmbso3WLCNX6eHla-_mpftsOKlujOqz16qZTtVSb7FhQSye-blnaZGRuo3J4r0xWw2-b0oeFQWF7OjIArC04IZaYygcZcfBaUTMbsZ2mRneRR6Heo1oKm-rma-A8SBYQi-vD9yVA1T3q0KlzRj_VDf5XowjeIwD-DyWN0uFb-WFncjNx14TQ8DqJC2O0ByTvAg3atb0Al60zO2ske6d2FexfL8E2iBfWxVdpaZgwTvhcqqXbsoYdPd7eN0J9QM-CgwUoeoBrUK2xbGtwHiFMdHZAjqx4C0ZiiYn2sv0uNhDXX8Sdg0XOS9126iSHF9JSRqavBs3I2fwyVV7Ijphkzt-zRnhYNNSQIWK-iPQ2mi6ZrTs6s2Fg6b6ioN0qCiy_q13JZ-6mLC7zB4rzCdvnTSrKspYboY85L-TopkFh6F5h3zTGprhc7YVY5QYq92nnLJO4RFaE0qAE61vpQt1QDqIxz4GoFY-FAqZcU3_Ydud_GKRcF5Twy3ttBHYVALozD8v-ApX0AAj_EDAAn-HMrTzNfbVo21tZmDebGGSXNFVuRd3VtIgR-PcykYQGC7T9bVNS80W0DzQc6gmhxKorbrNFCNjV_AFAl6nz7mZKXYmi0Oxw977tRuDv1hVBCH8-u_MHbKhGO1I7iPJhjnUvKAIO6VOrFZCf_MzX-cFpKFr_p9XR1O4Xw-NGX0ILzA-2QtEpcu_GJORASbb6BogG0Z3IfysfJYn_aEi1ZfJLq8g4cR2Vpxx-Qyj3DO4u4IFmWBeI.i-2I7tMxS0iZ3cvV-TJRvg.2b34ecf7e6638669ec21edb5984411d71028474229b8f52a6924c72c183b527a","email":"[email protected]","emailCode":"351740","phoneNumber":"+1000000000","phoneCode":"000000","username":"blck-block"}``
I am Edit some data due to security
Second Step
``HTTP/2 200 OK
Date: Sat, 22 Feb 000 00:13:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 279
X-Request-Id: Root=1-67b9a350-19203c143106f6f42a411d26
Etag: W/"117-iKp4Jh07IvH1A0WYsne7zsGXfV8"
{"success":true,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoic2lnbnVwX25ldyIsInVzZXJuYW1lIjoia2VtYXJvLnRpcHRhZyIsImVtYWlsIjoia2VtYXJvNTU2OUBreXRzdG9yZS5jb20iLCJwaG9uZU51bWJlciI6Iis0ODY5OTUzNzU0NCIsImlhdCI6MTc0MDIxOTIxNn0.D_Eipv7ZXKPRHdLFZQLKiNv5pTcQoSiUcGqdYIGtbi0"}``
I know that if you give the wrong OTP, an error occurs, but we can edit this error in this way. If we edit this error through this code, it will be ticked, that is, it will be correct.
{"success":true}
Apart from that, you also have to tamper with the token, which I can't explain here.
Loss Calculation/Profit Calculation
| Every Acound | Fees/Rc | Power |
|---|---|---|
| @1 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| Every Day I create | Fees/Rc | Power |
|---|---|---|
| @1 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @2 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @3 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @4 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @5 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @6 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @7 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @8 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @9 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| @10 | 3Steem/Million rc aprox | 10.1 Steem=0.144*10=1.4$ |
| Total Per day | Acounds | Power |
|---|---|---|
| @10 | 30 Steem/Millions rc aprox | 101 Steem=0.144*101=14.4$ |
| Per Month | Acounds | Power |
|---|---|---|
| @300 | 900 Steem/Millions rc aprox | 3000 Steem=0.144*3000=500$ Aproximately |
Every year aprox 6000$
This will have a huge impact on new users, making it very difficult to create a new account.
You may be thinking.
Many of you reading this post must be thinking, what will I do with these accounts if I create so many accounts? It is very difficult to post from so many accounts. If a bot posts, it will be detected because it cannot be done with much effort. That is, it is very difficult to create quality content for three thousand above posts.
Auto Upvote Bot
If these accounts are used, it is not difficult to upvote all these accounts through a bot. I can create a vote that can upvote these previous accounts very quickly. I can select a post that I like.
And as the number of accounts increases day by day, the votes will also increase, and all this steam power means that if the votes of all these accounts go to one post, many dollars will be earned, meaning that this post will get a lot of wards.
1 Year Result
| 1 Year | Total Acounds | Power |
|---|---|---|
| @3600 | 3600 Acounds | 36000 Steem=0.144*36000=6000-8000$ Aproximately |
36000 Steem Aproximately 0.40$ Voting power
If you look at it, the value of this team is very high as I am making this post and its value will surely increase to about 30 cents.
then 0.80$ power and every day increasedue to acound create daily
Special Menstion
@ethy001
@steem
@steemcurator01
@steemcurator02
@justyy
@steemchiller
@the-gorilla
I can give you the best suggestion to fix this. Contact me on Telegram.
Telegram:@blackblock0
Am Waitting
Thanks
