This Vulnerability May Allow Hackers to Steal Your Ether

\
Today we’re going to look into a new scam method! Do not confuse it with allowance approve scam (to prevent which you can use revoke.cash / unrekt.net) which targets ERC20 tokens, but not Ethers. (1234).

Source: graph.org/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30–DeFi-03-31

\
In the presented attack, scammers may steal your Ether!

\
Use this information for educational purposes only ❗️

Prehistory

Recently in the network began to appear a large number of scam websites like you can see on video. All such sites have the same structure, which can tell us about one thing — they are all run & made by a single man or we deal with some kind of a MaaS.

\

\
When you enter the site you are then asked to sign a message, well, you sign it, because everyone knows that the simple signature of a message through the MetaMask is not terrible, and should be safe, right? But no, MetaMask warns you with an alert, but inattentive users sign the message anyway and then the most interesting thing happens — the transaction is sent to the address of the scammer with all your Ethers! Yes, with a simple message signature they can send the transaction on your behalf!

\

How does it work in detail?

Let’s not get too deep into the technical details, let’s try to get as superficial and crude a handle on the matter as possible. There are different ways to sign messages (for example personalsign) and only at one of them MetaMask will warn you, it happens only in the case of ethsign, and the reason is the simple string “\x19Ethereum Signed Message:\n”, but how it affects so much?

\
First, let’s understand the order in which each of these two types of signatures is signed:

\
eth_sign: message -> hash(message) -> JSON-RPC request -> display request -> sign request

personal_sign: message -> JSON-RPC request -> display request -> hash(message) -> sign request

\
As we can see, in ethsign we have hashing first, and then “\x19Ethereum Signed Message:\n” is added, and in personalsign we have “\x19Ethereum Signed Message: \n”, and after that hashing, so in eth_sign we can pass the message with all transaction data, take out unnecessary “\x19Ethereum Signed Message:\n” and get signed transaction, which now should be sent and that’s all, attack performed successfully!

Don’t be afraid of all signatures

In case your signature is suspicious you will be notified by MetaMask with a big red alert (like on video), in other cases message signing is a completely safe action, which just confirms that you are the owner of the wallet, and the site does not get any data about private keys or other secret information from you!

\
Here is the repository with the exploit code:

\
Use this information for educational purposes only ❗️

References:

\
\
\


| Authors: nitter.net/ortomichDev, nitter.net/officer_cia

\
Support is veryimportant to me, with it I can spend less time at work and do what I love — educating DeFi & Crypto users! \n

\


If you want to support my work, you can send me a donation to the address:

\

\
Also published here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Instagram

Why do People Say: "Developers are Lazy"?
The saying “work smart, not hard” is applicable for programmers.
.
https://hackernoon.com/why-do-people-say-developers-are-lazy

.
Author: Aga Wozniak
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

Mitigating the DDOS Threats Facing Banks and Fintechs
As much as digitization and cyber simplified banking, the Fintech sector has left digital payment activity exposed to malicious and suspicious activity.
.
https://hackernoon.com/mitigating-the-ddos-threats-facing-banks-and-fintechs

.
Author: Josh Horowitz
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

24 Best JavaScript Blogs and Websites
In this overview, we have compiled a list of popular sites, as well as JS blogs that are worth reading and keeping in your bookmarks.
.
https://hackernoon.com/24-best-javascript-blogs-and-websites

.
Author: natashatsybliyenko
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

The Projects Working to Lower Ethereum Gas Fees
As more investors try their hand at DeFi, gas fees are shooting over the roof, making engaging with decentralized apps uneconomical for most users.
.
https://hackernoon.com/ethereum-gas-fees-are-there-any-projects-working-to-optimize-eth-gas-fees

.
Author: CryptoVirally SLR
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

On the Edge of a New Year: IT Predictions for 2022
The single biggest cause of network errors are people.
.
https://hackernoon.com/an-interview-with-uplogix-ceo-lisa-frankovitch

.
Author: Mignonette Garnier
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

How to Modernize IBM i Applications
If you’re like most IBM i users, you know how much value your IBM i data and applications bring to your business. Your end-users, however, may not. In today’s world of rich user experience, fast-paced application development, and constantly evolving customer expectations, IBM i applications are unde…
.
https://hackernoon.com/how-to-modernize-ibm-i-applications

.
Author: Lansa
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...