Today at 13:00 UTC what looked like a massive automated vote occurred on Steem. The SteemConnect API received a lot of requests to upvote and downvote the following posts without user approval:
- https://steemit.com/bitcoin/@haejin/bitcoin-btc-evening-update-short-term-jives-with-the-longer-term
- https://steemit.com/bitshares/@haejin/bitshares-bts-updated-price-indicator-pattern-and-waves
- https://steemit.com/homesteading/@adetanlus/benefits-of-papaya-flowers-for-health-what-you-need-to-know-2049affee5108
- https://steemit.com/photography/@zulkifli123/flower-beautiful-3513d9afa3893
- https://steemit.com/philippines/@sabeboo83/anyideaswhattopairwiththisimthinkingofmakingawhiteandbluedeck-k558xwa4dm
We can see from the SteemConnect logs that a malicious actor used Utopian privileges to broadcast votes for users. If you have delegated posting authority to the @utopian.app you may want check your posting/voting history to see if your account has been affected. If that is the case, then we recommend that you undo your votes.
To check your history, go https://steemd.com/@fabien (change @fabien with your username)
We’ve disabled the app @utopian.app and revoked all the access tokens on SteemConnect while this issue is being resolved. Utopian team helped us to identify early the abuse and the SteemConnect server logs clearly show that the requests were not from Utopian servers IPs but from an external actor.
What happened?
Utopian asks for “offline access” when using SteemConnect, this gives the Utopian app the ability to issue an access token for its users anytime with what we call “refresh token”. It’s a common use in the OAuth 2 standard. It seems that someone got access to Utopian’s database with stored refresh tokens. These refresh tokens were used to generate new access tokens and broadcast votes for these accounts. If your account has been affected you most likely were giving offline access to Utopian.
Has SteemConnect been hacked?
No. Someone malicious sent requests to the SteemConnect API using Utopian’s refresh tokens but does not have direct access to the SteemConnect server.
My account upvoted some posts without my approval, my keys are safe?
Neither SteemConnect nor Utopian have access to any of your keys. SteemConnect API is using posting authority delegation to broadcast posting operations for you. The operations are signed by the @steemconnect account but not using your own keys. You are not giving SteemConnect your keys but only the permission to use your account.
We are still investigating this issue and will give you another update when we have.
Edit: You can read Utopian related post here: https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised