IMPORTANT: I have found a major VULNERABILITY in STEEM!
Dear Steemians,
I have found an exploit that enables a malicious person to create an army of fake accounts that can be used to upvote any posts that person makes, earning him hundreds if not thousands of dollars! If we want Steem to survive then this exploit should be addressed as soon as possible! This is how the exploit works.
First you create a temporary Email at a website like http://www.throwawaymail.com/en or https://10minutemail.com/10MinuteMail/index.html?dswid=-8738
These websites allow you to quickly make a disposable Email address that can be used to receive the steem account activation link on. Once you have activated the Steem account the temporary Email address will be deleted within a few minutes to 48 hours (depending on which website you use).
After the account activation you have to verify the account with your cellphone number. You get a security SMS sent to your phone and you need to use that to verify your account. One may think that this dissuades anyone from trying to make multiple accounts for upvoting. However, One does not need to own hundreds of cellphone numbers in order to make multiple steem accounts.
There are actually websites that allow you to use hundreds of different cellphone numbers for free. You can use those numbers to receive verification SMS messages on. Those messages then appear on the website or are emailed to you. There are atleast 2 websites that enable you to do this. The first one is https://smsreceivefree.com/ and the second one is https://tempophone.com/ . The first one alone holds 60 telephone numbers that can be used to receive free SMS messages on. Furthermore, these 60 telephone numbers get replaced by completely new telephone numbers after every month passes! This means a hacker could make an army of 760 upvoting “followers” in just 12 months using this website alone! Like I said there are more websites like these so the actual numbers of fake accounts could be much higher then this. This exploit has the potential to decrease the price of steem dramatically because it will drain the system by sending rewards to those who do not deserve to be rewarded (because they are basically upvoting themselves).
The creators of STEEM can take the following measures to prevent this exploit from being used (again).
- Blacklist all phonenumbers that appear on websites like smsreceivefree.com and ban anyone who is trying to sign up with one of these phone numbers.
- Make two factor authorization (2FA) a mandatory login procedure. If people have to use the same phonenumber over and over again to login then there is no longer an incentive to use disposable phone numbers.
People might already have used this exploit in the past. If this is the case then these people and their fake accounts should be flushed out of the system as soon as possible because they are destabilizing the Steem community. I recommend the following measures to be taken against these people:
- Resend verification codes to all registered phonenumbers and tell people that they should again verify their accounts with the codes sent. Anyone who fails to do so in 48 hours has either something to hide or is simply no longer using the steem community. People who used disposable phone numbers probably won’t be able to re-verify because the phonenumber they used is no longer available. So they’ll be identified very easily.
- Resend an activation link to all the Email accounts used to open a steem account. If people used a temporary/disposable E-mail address, then they won’t be able to click on the activationlink sent. Accounts that are not verified by activation link should be disabled.
Please upvote and resteem this post so that the people may know about the existence of this exploit and action can be taken as soon as possible. Only together we can make a stronger Steem community!
EDIT: its already happening https://bitcointalk.org/index.php?topic=1990048.0
This guy has made a bot that does the exact same thing i'm describing in this article. Steemit is doomed.
Yours truly,
Codix
well its been 2 hours after I posted and the (media)attention has been overwhelming.. why do I get the feeling only the whales get any piece of the pie? You know, the guys who already had a following on youtube and asked their followers to sign up here as well.
I have tried to spread the word... I Resteemit.... But I don't have real followers.... No one read it... sorry..
its ok my friend, why make a fuzz about steam right? Lets all buy the upvote bot from this thread https://bitcointalk.org/index.php?topic=1990048.0 and become super rich instead. Because clearly nobody gives a shit.
How are they generating money if their account value is 0 and therefore their upvotes are worth 0$ as well?
could you explain to me how i'm able to upvote pretty much anyone I want and how this results in some people winning money, and others losing? I thought upvoting was always a positive thing!
this Is wat i mean, I voted myself but no money?
odd
Maybe you should do some homework on how Steemit works :) the value of your votes is linked to your steempower. If you have no SP, your votes will be worth 0$
You can upvote any Post you like and upvoting is a positive thing. You won't make anyone loose money with up voting their content.
Wow if they are really making a lot of fake accounts the way you mentioned Steemit needs to do something quick. I like your suggestion of 2 factor autentication every time you login that would avoid fake accounts such as this.
@originalworks
The @OriginalWorks bot has determined this post by @codix to be original material and upvoted it!
To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!
Congratulations @codix! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPfuck yeah!
my mother burst out in tears when I told her about what I have achieved. She always knew I would do great things some day... Can't wait to earn the next set of badges!
@geniusloci
https://bitcointalk.org/index.php?topic=1990048.0
This guy is doing exactly what I was trying to warn about.. Steem is dead!
Dear @codix, please do some research on how Steemit works before you post stuff like this. In order to make these bots work, they have to be loaded with SP. Which costs money or needs content. You can also just load your own account with 1250$ and upvote your own content. Or use upvote bots on Steemit. Steemit is still in beta and of course not every gap of abuse has been closed yet. Let's talk again in a year ;)
@geniusloci what do you make of this then? https://s3.amazonaws.com/yabapmatt/bottracker/bottracker.html#bid People are selling upvoting bots..
This paints the real picture of Steemit....
indeed it does.. such a pitty