Slow-moving fog safety and security group warns of EOS account security threat. The team discussed that the EOS budget designer strictly courts the node verification (at the very least 15 confirmation nodes) to educate the customer that an account has actually been successfully created. If it not properly judged after that a phony account strike could take place.
How does the attack take place?
The attack could occur when a customer utilizes an EOS budget to register an account and also the wallet prompts that the registration is successful, yet the judgment is not rigorous, the account essence is not registered yet. Customer make use of the account to take out money from a transaction. If any kind of part of the procedure is malicious, it may trigger the customer to withdraw from an account that is not his own.
How to defend against the attack?
Poll the node and return the permanent block info and then trigger the success. The particular technical procedure includes: push_transaction to get trx_id, request interface POST/ v1/history/get _ purchase and also in the return parameter, block_num is less than or equal to last_irreversible_block, which is irreparable.
Lately, a blockchain safety and security business, PeckShield recently evaluated the protection of EOS accounts as well as discovered that some customers were making use of a secret trick to severe protection threats. The located that the primary cause of the trouble is that the part of the secret trick generation device allows the customers to use a weak mnemonic mix. And also, the secret key that’s created this way is more vulnerable to “rainbow” strikes. It could even result in the burglary of electronic assets.
PeckShield created, “The essence of the threat is brought on by an incorrect use third-party EOS key-pair generation devices, consisting of yet not limited to EOSTEA. With user-provided seeds, these tools substantially assist in individuals to generate their EOS key pairs.”
They also added a solution claiming, “… if a basic seed is selected (by the customer) and permitted (by the tool), the produced keys may be subjected and made use of by launching the rainbow table strike (or dictionary attack).” They pointed out in their blog site that in order to shield damaged owners, PeckShield will certainly be launching a public service called EOSRescuer.