This Vulnerability May Allow Hackers to Steal Your Ether by@officercia

This Vulnerability May Allow Hackers to Steal Your Ether

Read on Terminal Reader
Open TLDR
react to story with heart
react to story with light
react to story with boat
react to story with money
A new scam has appeared in the ERC20 network, but not Ethers. Do not confuse it with allowance or allowance. Scammers may steal your Ether! Use this information for educational purposes only. All such sites have the same structure — they are all run & made by a single man or we deal with some kind of a [MaaS] It happens at one of the sites only in the case, it happens of eth_sign and the reason is the simple string “nx19Ethereum Message: Signed’s”
image
CIA Officer's Blog HackerNoon profile picture

CIA Officer's Blog

Investigations & Researches


Today we’re going to look into a new scam method! Do not confuse it with allowance approve scam (to prevent which you can use revoke.cash / unrekt.net) which targets ERC20 tokens, but not Ethers. (1234).

image

Source: graph.org/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31


In the presented attack, scammers may steal your Ether!


Use this information for educational purposes only ❗️

Prehistory

Recently in the network began to appear a large number of scam websites like you can see on video. All such sites have the same structure, which can tell us about one thing — they are all run & made by a single man or we deal with some kind of a MaaS.


image


When you enter the site you are then asked to sign a message, well, you sign it, because everyone knows that the simple signature of a message through the MetaMask is not terrible, and should be safe, right? But no, MetaMask warns you with an alert, but inattentive users sign the message anyway and then the most interesting thing happens — the transaction is sent to the address of the scammer with all your Ethers! Yes, with a simple message signature they can send the transaction on your behalf!


image

How does it work in detail?

Let’s not get too deep into the technical details, let’s try to get as superficial and crude a handle on the matter as possible. There are different ways to sign messages (for example personal_sign) and only at one of them MetaMask will warn you, it happens only in the case of eth_sign, and the reason is the simple string “\x19Ethereum Signed Message:\n”, but how it affects so much?


First, let’s understand the order in which each of these two types of signatures is signed:


eth_sign: message -> hash(message) -> JSON-RPC request -> display request -> sign request

personal_sign: message -> JSON-RPC request -> display request -> hash(message) -> sign request


As we can see, in eth_sign we have hashing first, and then “\x19Ethereum Signed Message:\n” is added, and in personal_sign we have “\x19Ethereum Signed Message: \n”, and after that hashing, so in eth_sign we can pass the message with all transaction data, take out unnecessary “\x19Ethereum Signed Message:\n” and get signed transaction, which now should be sent and that’s all, attack performed successfully!

Don’t be afraid of all signatures

In case your signature is suspicious you will be notified by MetaMask with a big red alert (like on video), in other cases message signing is a completely safe action, which just confirms that you are the owner of the wallet, and the site does not get any data about private keys or other secret information from you!


Here is the repository with the exploit code:

image


Use this information for educational purposes only ❗️

References:




image


| Authors: nitter.net/ortomichDev, nitter.net/officer_cia


Support is veryimportant to me, with it I can spend less time at work and do what I love — educating DeFi & Crypto users!



If you want to support my work, you can send me a donation to the address:



Also published here.

react to story with heart
react to story with light
react to story with boat
react to story with money
L O A D I N G
. . . comments & more!