Bug Found in Steemit Sign-Up Option: Needs Urgent Attention ||@dev-pro

in S4 Young Journey22 days ago

Bug Found By :Aftab Irshad
#Pakistan



DALL·E 2024-12-30 07.28.45 - A conceptual illustration showing a website sign-up process with a highlighted security vulnerability. The image should depict a glowing 'Sign Up' but.webp

My name is Aftab Irshad, I am from Okara district of Pakistan and I am a small coder.My purpose in pointing out this mistake is not to belittle anyone, but rather, everyone can make mistakes.There are more senior people on Steemit than me, but no one has noticed this error. I think no one has done this kind of test.I have done many tests and everyone knows that this is an error, it has become very difficult to create accounts, there is an error in the number of almost every country.But this Bug will eliminate all these errors, but this is wrong.So I want this post of mine to be considered and this bug must be fixed, otherwise it will do a lot of damage to Steemit.

What bug have I found?

I have created a loophole in Steemit's signup so that an account can be created without a phone number or email. This is Steemit's weak point.I know that Steemit Almost gives 10 Steem Power and by the way there are three Steem fees but it creates an account with RC Credits.

I want to tell you clearly.

These screenshots I have taken are my own, I have not copied them from anywhere, nor have I edited them. If you want, I can also make a video of it and give it to you.

I will inform you about it step by step.

Step 0

This is my pc
Screenshot (146).png

Step 1

Open Burp Suite

Screenshot (148).png

Screenshot (150).png

Step 3

I opened the Burp Suite browser.
Well, I'm not teaching, so I don't have to tell you, but I'll tell you that after opening the brother of Burp Suite, it is necessary to set up the Proxy and port Proxy 127.0.0.1Port 8080 with it and also install the certificate. Apart from that, it is difficult to do, it won't be easy.

Screenshot (154).png
You can see that I wrote a random username and a random email and when I entered the OTP, I got an error and the OTP was not entered. This is where the bug starts.Now I will unlock Burp Suite and enter its OTP without the original OTP.

Step 4

Turn on interception in the Burp Suite. You will find it in the proxy section.
Screenshot (155).png

Step 5

Now if I enter the same OTP again, its first request will come in the Burp suite.
Screenshot (156).png

Step 6

I can use this to intercept the request and also menuplate the response.
Screenshot (165).png

Step 7

On the right side you can see that this is the response I got from the server. If I forward the same, I will get the embedded OTP. If I change the server response, I can pass it.
Screenshot (158).png
Now, there are only two things to change in this response, one in the header and one at the bottom.If anyone wants to reuse my method, they must use time otherwise the token will expire. There is also a token in it, but I can't explain it to you. If there is a good coder, he will understand.Steemit is a blockchain-based website, it also has another token, it can also be passed, time should also be taken into account, and there is one more thing, if I tell you that, Steemit will suffer a lot, so I cannot tell you that thing in it.

Step 8

You have to change the right side response in the way I am telling you.You can see in the picture how it has been changed. Change the 400 error bad to 200 OK .
Screenshot (161).png
Change first line: HTTP/2 200 OK
Bootom Change in { } under text : {"success":true}
All Done

Step 9

Check This
Screenshot (162).png
Otp Done :I have used this OTP because the server never sends such an OTP so that no one in the sequence thinks that it has been sent and installed.

Step 10

You can see that the number also has the same error. I did not use my phone number. It is a random number. Do not try to call anyone.
Screenshot (163).png

Step 11

Already Explain Previous Steps
Screenshot (164).png

Step 12

Already Explain Previous Steps
Screenshot (165).png

Step 13

Already Explain Previous Steps, This also needs to be changed in the same way I changed it in the picture.Then Forward
Screenshot (166).png

Step 14

You can see that I have ticked it without entering the Orignal OTP for the email and phone number.
Screenshot (168).png
I think if all this is okay, then you must have understood and it needs to be fixed, but I will give you a step by step guide.

Step 15

Screenshot (169).png
I have done almost everything. I will not take any further steps. You all know that the file will be available. But I do not want to create any account in this legal way and my name to be involved in illegal work, so I am stopping it right here.You won't find the account I wrote inside it on Steemit because I ended it right there and didn't continue it.


My Opinion to fixed this.

Advise 01

I understand that smarter people than me are working on Steemit, but my advice is that the time must be calculated. If the response comes after more than 30 seconds, it should not be forwarded. Similarly, it will stop or you can set it to 15 seconds. In such a long time, so much time will pass while writing and he will not be able to create an account. But a Python script can do all this. This is a solution for a beginner.

Advise 02

By the way, Steemit is a blockchain-based website, it is not difficult to calculate the token in it. I would suggest that a token be placed behind the OTP of the email and phone number, meaning that every time a token is received and when both of those tokens go to the end after the server, those tokens should be checked to see if these tokens are already verified or not. If that token is not verified, then there is no solution for not getting the account. It is quick, but nothing is impossible.

Advise 03

Apart from this, my third opinion is that the website should be connected to the firewall and the website should be connected to the firewall at all times. If the website is disconnected from the firewall for even a second, the page should be reloaded. Similarly, when the menuplate responds, the website will be disconnected from the firewall and the page will be reloaded and the data behind it will be lost. Similarly, no one can create a count if the wrong method is used.

Advise 04

My fourth and best opinion is that the website server should send the response in encrypted form, so the coder will neither understand the response nor be able to decrypt it.

Why am I doing this kind of research?

I work on Steemit myself and I don't want any compromise on customer security. By the way, Steemit is very secure. I have done many tests.

Login Security Update Please

I understand that the Steemit login page is encrypted and not cached, but this will be a problem for a small coder, but for a good coder it is not a problem. I suggest that if a username is tried to login two to three times in a minute and it is tried 10 to 12 times, the login of that username from the same IP should be blocked for half an hour.Steemit's password is very long, it is very difficult to brute force it, but if a computer circle is created and the password is divided into many steps, it can be done, but it will require a lot of effort.

Example

For example, if a password is too long
123456789Example
So if we use five computers to bruteforce this
PC 1 Bruteforce :000000000to2222222222
PC 2 Bruteforce:333333333to4444444444
PC 3 Bruteforce:555555555to6666666666
That's why I'm saying that cracking a password is not that difficult. If the password file is divided into parts and given to different computers separately, it can be done. Nothing is impossible. That's why I'm saying that people's time should be checked. If multiple logins are made and the wrong password is used, then logins should be blocked for half an hour.

My introduction post

Achievement 1:Introduction my self in steemit.


Thanks for Reading Please Share Steemit Team

Special Mention
cc:
@the-gorilla
@steemitblog
@steemcurator01
@steemcurator02
@steemchiller

Sort:  

Hi, thank you for your test.

I see this is not a complete test. Accturally the program will check all the information again on the final step on the server-side before writing register data on blockchain.

You use Burp Suite to edit the response and that trick the frontend on browser. It will not influence the final step on server-side.

Anyway, thanks again for testing.

 16 days ago 

Greetings,@ety001
Thanks your Response
I need New Task,Please