A well known crypto security expert has is warning users that their funds are potentially at risk if they are not using a hardware wallet.
If you are using metamask, consider moving your funds to a more secure location until more information is known. There have been multiple reports of metamask wallets being drained. All information currently known suggests the victims were phished, but all known victims use metamask.
If you use Brave Browser it has built-in crypto wallet with support for a hardware wallet and supports Metamask protocols (can be used in replacement of Metamask).
If you are not using a hardware wallet, I highly recommend you get a Trezor or a Ledger from a reputable source.
Why you should vote me as witness
Posted Using LeoFinance
I've always been suspicious of Metamask's security, web browsers have traditionally been terrible with security and building a secure application on top of them is a recipe for disaster.
The state of Hive is even worse in terms of security, the only widely implemented options for authentication management here are Hive Keychain and HiveSigner. One is an extension, and one is served from a web server with seemingly no offline/standalone version. Not only that, HiveSigner is served through Cloudflare, which means users of Hivesigner have to trust Cloudflare, the developer of Hivesigner, and the server host of Hivesigner not to maliciously inject password stealing code in the page.
You should not trust any webpage served through Cloudflare, what little decentralisation Hive has is completely negated by the fact that every major in-browser application for accessing Hive is served through Cloudflare.
If a major adversary, such as the US government, wanted to destroy Hive, they could obliterate the entire platform within hours by forcing Cloudflare to inject malicious code into every major Hive website that burned everyone's tokens and reset their keys.
If they wanted to completely destroy public trust of Hive, they could do so for a mere few minutes. Such a short time would be very unlikely to be caught by anyone before it's too late and Hive would be blamed for the losses caused.
The only thing preventing Cloudflare from silently mass collecting data on Hive users right now, and the reason I've stuck around, is the fact that the actual API endpoints don't go through Cloudflare. Either developers were smart enough to realise that Cloudflare is a major security risk, or Cloudflare broke API access so often that they were forced to use direct access for the API.
The few people well versed in security would be able to manually check for a compromised page before trusting it, however that takes up quite some time and is not applicable to the average user.
The only method I've found so far for accessing Hive that can be trusted not to suddenly be compromised by a third party one day is Ecency-Mobile/Esteem-Surfer, as it's a standalone program saved locally on your device. However, Images are still served via Cloudflare, so if an image parsing vulnerability was found it could still lead to compromisation. Such a vulnerability is a much higher bar though and are often patched out extremely quickly before anyone manages to use them maliciously.
As for Hive Keychain, the other issues basically make it irrelevant, though it does seem to have less single points of failure than HiveSigner does.
Cloudflare is a direct enemy of decentralisation, they've managed to siphon a massive chunk of the internet through their servers and currently have the biggest data collection system in the history of the internet. Regardless of if they're using said system right now to harvest data, they are not to be trusted in the slightest as they could just as easily begin using it without anyone knowing.
I may make a dedicated post about Cloudflare, and possibly one about the failings of Hive. There's great potential in Hive and it would be good to see it overcome its current failings.
Corporations are not our friends, they are an enemy to democracy, privacy, and freedom.
Hive has the advantage that the government won't have any reason to shut it down. If they shut down hive, this means they shutdown bitcoin before. If they shut down bitcoin, then all cryptos will be shutdown.
Browser extensions are safe enough for hive, especially if one day the ledger integration pans out and becomes usable in browser.
Also, the powerdown is the most secure feature that any crypto can have. You get hacked, yet no one can steal your funds, and then you just need to change the password regularly for 100% certainty that nothing gets stolen.
The thing is, they can't shut down Bitcoin unless they take out nearly the entire internet along side it. It's been decentralised in a way that makes that near impossible.
They can cripple it, sure, but decentralised exchanges exist, and an attempted ban of bitcoin would just bring even more attention to it. It would be ultimately be a good thing in the long run if a major government attempted to ban Bitcoin.
An attempted ban by a major government is essentially a massive stamp of approval saying that the technology works and they can't control it.
Just look at Russia, they've been trying to crack down on cryptocurrencies as well as usage of privacy tools like Tor, I2P, and Freenet. The results have been a complete backfire so far and have lead to even more usage.
You can see Tor's usage increasing in Russia over the last three years here. I expect tor usage will go up even more with the upcoming release of Tor Browser 10.0. If you're in a country with uncensored internet, I highly recommend installing Tor's Snowflake extension as it will help out those who do have censored internet.
not really. you can still get fished, like the people that fell to this scam. nothing to do with metamask
It has everything to do with metamask as the phish is acting as a legitimate version of metamask.
no, it's a fake website. doesn't matter how you connect to it if you use bogus TX/contracts
I understand that, but the people affected are metamask users.
guy is not the brightest lamp of CT
LOL hahaha. omg.
Transferred to my Trezor anyway. Glad there's no threat.
How can you get phished on an already installed extension?
People are naturally stupid (including me)
To be honest, I don't like METHAMASK.
what is methamask? i do find metamask useful for small amounts and daily transactions
Metamask is a browser extension that lets you run DAPPS without being part of the Ethereum network as an Ethereum Node.
Does the Trezor and Ledger work with all exchanges worldwide?
Can you keep multiple wallets on one hardware?
Thanks Mark
Yes, and yes.
A hardware wallet acts as a private wallet that only you have access to. You can send and receive from exchanges.
What happened to metamask is no hacking but more on user side stupidity, sorry my bad.
Why ???
Damn, gladly I dont have much assets to stress myself out, but still its all risky
다운보팅 고마해라~! 디진다~!