Back up your hard drives.
R.I.P. Hard Drive [*]
Here is the server log for exceptions & CPU during this event. You can see that blip there is for tipping invalid users :) Looks like CPU didn't do too bad. I don't have auto scale out enabled for the site (costs a bit more) - so this is just from a single A-Series Azure CPU. Once the site goes out of beta, I'll throw more funding at the server.
Very interesting! Do you do site penetration testing? Just asking for a friend 😉
Well, if you do find new bugs on zapread, you will get some reward (in the form of BTC). I don't have much of significance to give yet but I would try to give something. And I'm sure other site users would upvote your report too.
The website is open source: https://github.com/Horndev/zapread.com
If you find a new and significant flaw, then there is an issue tracker to report it (or via private chat on zapread).
I just came across this report about the Coinomi wallet. The private seed input box spell checks by sending the private see words in plain-text to google spell check. It's over https at least, but at least one user has reported their coins being swept out of their wallet. Someone with access to google's back end, or via another private API could be vacuuming up seed words.
Yikes!
Some gold in here.
The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request
That still transmits your keys to google. It's plain text in the sense that it's not encrypted in the format, not the transport.
The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google
Well, they could have been logged as exceptions. Key word - logged.
I know that I have logs of all bad server requests - how else can I find out when things are broken?
This is disappointing..... to think that my funds could be in so much danger just because of a 3rd party software is ridiculous, why even use a 3rd party software anyways? Couldn't you have created your own? Why is spell check even enabled in the first place? I've lost quite a substantial amount of trust in Coinomi because of this....
I couldn't agree more with this comment.
It seems like I should switch mobile wallet for another, maybe TrustWallet, Coinomi isn't trustworthy anymore. Also, the source code is closed anyway.
I believe this is the same way the bitcoin gold hack worked, it's quite a clever way to do it as we're so used to seeing google everywhere you kind of ignore it.
An example of how you can manipulate search results in Google search.
https://www.wietzebeukema.nl/blog/spoofing-google-search-results
An interesting channel presenting the analysis of the hardware wallet in terms of electronic components.
https://www.youtube.com/watch?v=KGmyDiLrqSo
Uh oh - did something happen? I hope you didn't lose any funds. I learned this lesson some years ago, and now have a RAID backup server at home for anything sensitive. Well worth the cost! I had one hard drive fail, but it was all good, just hot swapped a new one in without any loss :)
Probably I lost only ~50 - 70 dollars. BTC are safe on Ledger. What happened, I don't know. Probably something with a data readhead.
Suddenly the computer crashed, and after the restart I heard "clicking". I thought it was PC Speaker that was signaling something, but after 5 minutes I realized it wasn't PC Speaker, and the disk was making so much noise :D
"no backup? no mercy!" - in times of ransomware backups are a must have!
True, but finding Ramsonware on Linux is difficult, they are not very popular.
They are not "popular" because most people use windows.
Tho', many malware developers go windows only.
BUT search a bit, and you'll find that there's plenty of linux/unix/whatever ransomware.
Since linux is often used for servers, you often see miners and stealing of data.
Databases (on linux) get encrypted by hackers, often, when they find an 0-day, they'd mass exploit everyone they find and leave a ransom note.
I remember this for example https://www.bleepingcomputer.com/news/security/b0r0nt0k-ransomware-wants-75-000-ransom-infects-linux-servers/