You are viewing a single comment's thread from:
RE: Warning about phishing links
These are some really nice resources to know about. I myself have clicked on a redirecting phishing link on here but it is worrisome especially for those who don't have a good idea about how front-ends interact with the blockchain.
Anyone can build their own Steemit-like front-end, that's not a problem at all as it can be totally legitimate without needing Steemit to sanction it, but knowing who to trust when it's not Steemit or doesn't use Steemconnect is tricky. It's nice that there are easy technical and user friendly options out there to check but yeah, keeping an eye out and protecting yourself starts to get a bit more serious in decentralized systems.
You can maybe ask these guys:(Who wrote this blog post)
http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html
To add a honey/canary token for steemit active or posting keys to their site. Which would enable you to see if somebody tries to use a fake made up posting or active steem key that you posted to a frontend, the site emails you if someone tries to use the details that you generated on: http://canarytokens.org/generate
Hope that makes sense? Maybe somebody needs to make a site to track the reputation of steemit frontends.
Be careful what you are clicking on. If it runs javascript then it can do a great deal on your computer, for example people can even go so far to open a shell on your computer using javascript. This is something that people do often when they exploit xss attacks, but if you are willingly visiting a site then they don't even need to trick you into running the javascript.
You can see more about this type of attack here:
https://www.slideshare.net/BartLeppens/owasp-appseceu-2015-beef-session (See from slide 49)
Thanks for your feedback on my comment!
Awesome stuff again, especially those canary tokens. I'm not sure how exactly it could be implemented, but I can see maybe some sort of interesting key-specific decryption of a picture like they were talking on a website that logs use automatically. Not sure how that would work on attacker's own websites or even Steemit though. Interesting to think about.
And yeah, I even read somewhere that web javascript could exploit those Spectre and Meltdown vulnerabilities. I just love it because it runs so easy... everywhere.