New feature: immediate auto-reply for PHISHING links and compromised domains

in #hive3 months ago (edited)


Last night I found an XSS stored vulnerability on hiveblockexplorer.com and some Hive users were giving me "crap" because I disclosed it before the maintainer fixed it.

I know that maybe I should have waited longer, but at the same time:

  • I did not share the code of the exploit;
  • I had been trying to reach @penguinpablo via multiple means already;
  • There's no session to be compromised on that site (as I mentioned in the post, only the redirection bit is dangerous).
  • Hive frontends don't allow unsafe tags in posts either, so average users couldn't use the exploit even if they knew it.

To compensate, I then decided to add a feature that @guiltyparties asked me if I could add a while back..


ANNOUNCEMENT:

Starting from today @keys-defender will keep a list of known phishing links and compromised domains. As part of the scanning of new blocks added to the Hive blockchain, besides as usual protecting leaked keys, it will now automatically reply to any post or comment containing a known phishing link or compromised domain.

Until @penguinpablo fixes the XSS that I reported last night, a subpath of his site will be in the blacklist, in order to warn users of the potential threat.


Logs:

image.png


Example of automated reply:

https://hive.blog/hive-193552/@keys-defender/antiphish-keys-defender-bot-1598120388219


image.png


FUTURE IMPROVEMENTS:

  • Check all memos transfers too for potential phishing attempts;
  • Allow top 30 witnesses and whitelisted users to add a phishing link to my list simply sending @keys-defender a memo structured in this way "phishing::https://evil-link.com";
  • Allow whitelisted users on my Discord server to add a phishing link using a command like: "!phishing https://evil.com".
  • {PS. periodically query a few services that publish known phishing domains as soon as they are discovered - may charge users a little bit for this additional service though as those APIs are not free}


If you want to timely notify me of phishing campaigns happening on Hive, tag me or the other users in my discord: https://discord.gg/SXuwsH7. In alternative, join the HiveWatchers (@hivewatchers) discord and they'll add it themselves when the improvements above are ready.