Defacement / Phishing vulnerability in hive-db.com

avatar
(Edited)

Defacement / Phishing





You can see from the screenshot below that I was able to replace the content of the target website with my own content.



This vulnerability could be exploited by malicious users for phishing campaigns as the link shared with the potential victims has a trusted domain in it!


The mantainer (one of the top 30 witnesses) has now been notified in multiple ways.

Stay tuned for updates! Will tell you a bit more about it after it gets fixed
😎 👍


UPDATE 1:

The vulnerability reported above has now been fixed by @jesta. The problem though is worse than I though and I've found another similar vulnerability that allows me to store code in the site and execute it when the user visits that page:



The issue has not been patched but the site is now less uselful since if you use any html tag in your post, when you try to inspect it in hive-db.com it will now just display "Content not available".

image.png

The maintainer said that at the moment he cannot fix it in a better way as he is not actively maintaining this old project (back in the Steemit days it was called https://steemdb.com).

When i have a chance I will test it a bit more for vulnerabilities but after an initial check it seems safe now.



My side project: @keys-defender
- Keys protection(scan of transfers/posts/comments/others, auto-transfer to savings, auto-reset of keys)
- Phishing protection
- Re-posting detection
- Code injections detection


0
0
0.000
7 comments
avatar

Congratulations @gaottantacinque! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You received more than 4500 upvotes. Your next target is to reach 4750 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @hivebuzz:

Update for regular authors
0
0
0.000