Keeping HIVE and it's Projects safe - My Sunday dedicated to more secure Frontends on HIVE.

avatar

Many of you already know what I do on the side. I spend a good amount of my free time doing security analysis and penetration testing on web applications here in our Hive ecosystem. I do this voluntarily, without contracts or a fixed payment, which can sometimes lead to misunderstandings. But that is just how it is.

image.png

This morning, while enjoying my first coffee and scrolling through the Snaps on PeakD, I saw something new. A fresh frontend for skaters on Hive had just been released. Of course, I could not resist and jumped right into checking it for possible security issues. Unfortunately, I did not have to search for long before I came across vulnerabilities. It is something I have seen far too often in Hive projects.

I documented the details of what I found and sent everything directly to the Skatehive team. To their credit, they reacted quickly. They understood the situation immediately and began working on fixing the problems. After their first reply confirming the fix, I checked again and could not find any remaining issues. That is exactly how it should be. When there are security flaws in a public-facing frontend, sometimes every minute counts. A big thank you to the Skatehive team and especially to @xvlad for working so quickly and efficiently to close those issues.

Sadly, it is not always like this. In the past, I have often run into frontend developers who had no idea what I had just found. Many were not even aware of the risks these vulnerabilities carried. What makes it even harder is that I am using my own time, knowledge, and years of experience to help – and yet sometimes I do not even get a thank you. In a few cases, I have even been threatened or completely dismissed. That is frustrating, but as someone wearing the white or grey hat, I have to accept it.

It is a shame we do not have a bug bounty program on Hive. When you find security problems in a project that is doing very well financially, it feels strange not to have any formal recognition. I will not name the project yet, but I can say that there are still several very critical vulnerabilities in that frontend. At least one has a CVSS score of 8.1 (High) and could cause serious trouble if exploited. (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

No matter how much some people might laugh at or dismiss my work as a security researcher, at the end of the day we are all using a platform that deals with real money. For some, it is not a small amount either. This is why I will not stop doing what I do.

So that was my Sunday. Sitting at my PC with perfect sunshine outside, plenty of coffee, and now finally an evening beer. A day dedicated to keeping Hive a little safer.

Thanks for reading and see you next time.
This show's up, when you try to do bad stuff now ;) GG

image.png

untitled.gif

Do you like what i do? Vote for my Witness and show your Support.

image.png

Vote for my Hive Witness

U can vote for my Witness using Hive Keychain here: https://vote.hive.uno/@louis.witness

image.png

Vote for my Hive Engine Witness

Vote for my Witness on Hive-Engine using Primersion Tool: https://primersion.com/he-witnesses Enter your Username and search for louis.witness

development security hive community blog frontend vulnerabilities dapps
0
0
0.000
15 comments
avatar

Any public facing service is vulnerable and likely to be attacked these days. Thanks for caring. The Skatehive project looks really cool.

Are checks done generally on what goes into Hive posts? I assume it's possible to include malicious links, but would those get filtered out somewhere or do the front ends need to block specific posts or accounts?

!BEER

0
0
0.000
Reply
avatar

Yea, it's not easier in Vibe-Coding-Times and new Services popping up daily. Ur welcome sir. Skatehive looks dope, yea. Most-Likely Content in Posts are my first focus, cause it's the most obvious one. We have also a Service running on a Discord Server that checks every single Post/Comment on HIVE for Links etc. and notifies us/ the Moderators/Admins to see whats going on and be alerted very early. It's then up to the Frontends hide/mute etc. stuff but mostly not done on new services ^.^.

0
0
0.000
Reply
avatar

Hey, what do you test / look for ?
There is a new hive front end being made (hivesnaps app) and i was wondering if it was safe but sadly i dont have the required skills to test it

0
0
0.000
Reply
avatar

I appreciate what you do trying to make HIVE a safer place for everyone. I don't understand it all either, but if someone brought it up to me I would work to get it fixed or find someone who could.

0
0
0.000
Reply
avatar

Thank you for what you do !

I like the idea of a bug bounty system, but at the same time I've seen bug bounties massively abused. The biggest issue is people with no expertise using widely available automated tools to find supposed vulnerabilities. They then email micro-businesses like my own exaggerating the risks and ignoring the fact that other mitigations might be in place (e.g. manual checks), demanding large payouts and saying they'll publicise what they found if the payout isn't received within 24/48/72 hours.

So for Hive, I think we need a bug bounty system designed to reward genuine bug hunters like yourself without opening it up to outsiders who just want to may a quick buck.

That rules out HBD rewards paid from the DHF, and even HP rewards could be put into the power down process as soon as received. So perhaps some kind of delegation pools could be set up; that way, it's the use of the delegation in curation over a period of time which generates the rewards. I know that's not a perfect solution, but it's the only one I can think of so far that keeps capital in the system while rewarding internal bug hunters !

0
0
0.000
Reply
avatar

awesome dude thank you for donating your time to help the skatehive strengthen its infrastructure! we owe ya one!

0
0
0.000
Reply
avatar

As with many things on Hive; people really appreciate what you do, but most of the people don't want (or cannot) reward you for it.

It is with posts like this that you can create awareness and rewards for the things you have done.

0
0
0.000
Reply