小心，不要把主密码发到文章里

ety001 (72)in #steem • 8 days ago

昨天在使用我的测试账号，测试 pr3944 的时候，一个不小心，把主密码发到文章里了。

一分钟之内，就有机器人爬到了我的密码，并修改了我测试账号的密码，真是太凶狠了。

由于我这个测试账号的恢复账号是我主号，所以我需要自己给自己恢复一下账号，于是简单写了一个脚本如下：

const steem = require('steem');
    
const recover_account = 'ety001';
const recover_account_active_key = '';
const loster = 'ety001.test';
const loster_new_pass= '';
const loster_old_pass= '';

const roles = ['active', 'posting', 'owner', 'memo'];
const loster_new_pubkeys = steem.auth.generateKeys(loster, loster_new_pass, roles);
const loster_old_pubkeys = steem.auth.generateKeys(loster, loster_old_pass, roles);

const newOwnerAuthority = {
  "weight_threshold": 1,
  "account_auths": [],
  "key_auths": [
    [
      loster_new_pubkeys['owner'],
      1
    ]
  ]
};

const extensions = [];

// send from recover_account
steem.broadcast.requestAccountRecovery(recover_account_active_key, recover_account, loster, newOwnerAuthority, extensions, function(err, result) {
  console.log('requestAccountRecovery do success', err, result);
  const recentOwnerAuthority = {
    "weight_threshold": 1,
    "account_auths": [],
    "key_auths": [
      [
        loster_old_pubkeys['owner'],
        1
      ]
    ]
  };

  const new_priv_keys = steem.auth.getPrivateKeys(loster, loster_new_pass, roles);
  const old_priv_keys = steem.auth.getPrivateKeys(loster, loster_old_pass, roles);

  // send from loster
  steem.broadcast.send(
    {
      extensions: [],
      operations: [
        [
          'recover_account',
          {
            "account_to_recover": loster,
            "new_owner_authority": newOwnerAuthority,
            "recent_owner_authority": recentOwnerAuthority,
            "extensions": []
          },
        ],
      ]
    },
    [
      old_priv_keys['owner'],
      new_priv_keys['owner'],
    ],
    (err1, result1) => {
      console.log('recoverAccount do success', err1, result1);
      // recover other authorities
      const active = {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            loster_new_pubkeys['active'],
            1
          ]
        ]
      };
      const posting = {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            loster_new_pubkeys['posting'],
            1
          ]
        ]
      };
      const memoKey = loster_new_pubkeys['memo'];

      steem.broadcast.send(
        {
          extensions: [],
          operations: [
            [
              "account_update",
              {
                "account": loster,
                "posting": posting,
                "active": active,
                "memo_key": memoKey,
                "json_metadata": "{}"
              }
            ],
          ]
        },
        [
          new_priv_keys['owner'],
        ],
        (err2, result2) => {
          console.log('accountUpdate do success', err2, result2);
        }
      );
    }
  );
});

脚本参考了鱼老板的文章：https://steemit.com/hive-180932/@maiyude/2dqngr

只要修改其中的这五行，即可完成找回工作：

const recover_account = 'ety001';
const recover_account_active_key = '';
const loster = 'ety001.test';
const loster_new_pass= '';
const loster_old_pass= '';

总之，各位小心吧。

#witness #cn #dev

8 days ago in #steem by ety001 (72)

$38.96

Sort:

Trending

[-]

remlaps (75) 8 days ago

Reminds me of this article that I read yesterday: Trapped in an 'AI labyrinth': One company's plan to stop bots scraping content for AI training.

It's not quite the same, but I have often wondered if there would be any benefits to automatically posting of fake keys/passwords as a defensive measure that would make key stealing more expensive for bad actors.

$5.05

4 votes

[-]

justyy (83) 8 days ago

我还以为你是故意测试的。。还好没发你主号的密码。

$0.25

1 vote