Author

Topic: There's a vulnerability found in MEW. (Read 209 times)

hero member
Activity: 966
Merit: 513
May 04, 2018, 12:33:28 PM
#22
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Man-in-the-middle-attacks can capture post requests, hijack sessions, strip SSL connection and do other malicious attacks to steal your passwords. Be very careful with who you give access to your internet, never put your access-point on open.

You can check the SSL security certificate on your browser itself and then hijacking session is not at all that much easy but you can attack the wallet with the help of phishing sites which is similar like the MEW wallet.
If you enter your private key on the MEW copy, surely you will loose all your fund on that wallet.
I am not sure they will be able to steel the tokens without the ethereum balance as well. If any one clarify on it. That would be better to understand.
sr. member
Activity: 518
Merit: 268
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Man-in-the-middle-attacks can capture post requests, hijack sessions, strip SSL connection and do other malicious attacks to steal your passwords. Be very careful with who you give access to your internet, never put your access-point on open.
copper member
Activity: 434
Merit: 278
Offering Escrow 0.5 % fee
This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.
Stop spamming guys because of your paid signature please avoid that sort of behavior as it kind of sucks to feed anyone reading this with false information and misleading knowledge.

Your campaign manager could be a good person and pay you with 5 post in a week if s/he considers that your post really contributed something somehow rather than posting a 30 senseless reply.

Even if I don't know what happened to Etherdelta AFAIK just don't get (phished).

Hey etherdelta is the exchange it is not private key secured as I know. I do not know why you are comparing the exchange wallet with the MEW. These both are different variant mate.
I do not find the people using the wifi or on sharing network loosing their fund on MEW wallet. I have more 6 tokens in 2 MEW wallets but I did not get any issue. DNS spoofing is possible but how could accept that they can track your private key or json file.
If DNS changing means you are not on a right URL. If we make correct, we will not get the problem at all.
Wrong the cache of your google chrome or mozilla or whatever browser you are using could be steal and when you browse and log in to etherdelta somehow if I use the cache in your PC I am also log in with your etherdelta accoun in which case I can hurriedly withdraw all your funds.

And even if the withdrawal request goes to your email account I'll just go to that website and if you didn't clean your browsing history chances are indeed you are automatically log in with your gmail/yahoo/ or (any) email you've been using in a months.
sr. member
Activity: 826
Merit: 263
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).


This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.

Hey etherdelta is the exchange it is not private key secured as I know. I do not know why you are comparing the exchange wallet with the MEW. These both are different variant mate.
I do not find the people using the wifi or on sharing network loosing their fund on MEW wallet. I have more 6 tokens in 2 MEW wallets but I did not get any issue. DNS spoofing is possible but how could accept that they can track your private key or json file.
If DNS changing means you are not on a right URL. If we make correct, we will not get the problem at all.
full member
Activity: 434
Merit: 103
Thinking on the higher plane of existence.
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).


This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.
copper member
Activity: 434
Merit: 278
Offering Escrow 0.5 % fee
Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Wait, I thought MEW still connects to internet even when opened Locally.
You know, to load Tokens balance, create a new Token listing and to broadcast transactions?
Anyway, since it's DNS spoofing, we can easily tell when your MEW are being hijacked when the certificate returns as false Smiley

Technically yes in signing a transaction you do not need an internet connection AFAIK.

Perhaps if you will only check the balance of your ETH.
Why? Can't you do everything in the local version - including creating and broadcasting transactions?

Are you saying that there are limitations?

Yeah I'm only using version on github when I'm signing a transaction, and then change PC to broadcast the transaction.
In my side there is limitations.

According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.
Google dns spoofing is false. as long as someone isn't manipulating your router you are good to go every time to make transaction and other stuff.

I have experienced the same fate where all my eth was consumed in a transaction fee that never been sent.

Been using MEW eversince when i do store up erc20 tokens but i havent experienced any issues on setting out gas even though they do make suggestion anytime of 21gwei but still you would able to push out with just 2 gwei on non-inflated network or do have lots of transactions.Lucky for me that everytime that MEW is compromised or do have attacks or issues i havent logged in my MEW accounts which i do avoid those possible loss of tokens.

Reading up on op,i didnt expect another vulnerability by just using up router or wifi connection. How possible? You cant broadcast transaction if connection is absent.
I even do have a different PC when accessing my mew funds luckily I don't even have much to worry about my router connection if it has been jockeyed or what not.

Using a different connection in where you possibly believe that the connection is very secure because it could increase the possibility of your funds being well protected  Roll Eyes

I am also having some tokens on MEW but not in huge amount so hackers might not interested in it,but for the people who are investing largely in tokens to earn money in short term are need to be careful in storing their funds.But as far as I know MEW is bet for tokens if someone want to save only ETH we have so mny multi wallets which can be safe and we can add 2FA to increase the security.But if the fund is large then don't hesitate to spend $100 on buying the hardware wallet which is most secure wallet.
Hardware wallet is good you only have to access the funds in it if necessary or you just have to whether to cash out something or need a financial support better late than sorry IMHO.

The invalid SSL certificate should have been an obvious tip-off not to enter your keys. It's not a fail-safe, as SSL certificates can be faked, but this wasn't the most sophisticated hack.
~snip~
That's what I'm talking about as long as your connection isn't compromised or the website in which you trust didn't jockeyed or something your funds is safer than your life.

Everyday black hat hackers are being ingenious to device something in a particular manner that even your browser couldn't even detect that there was something not right and you just know it when it happens.

I still find metamask toolbar pretty safe compared to MEW for my ETH but its bad that metamask still can't broadcast token's transaction so at end we have to rely on MEW to send tokens out of metamask.

MEW recently got their DNS hacked (as they claim) and many lost their ETH who have accessed site but didn't care about the invalid SSL certificate at the top during the hack.

SSL certificate is there to encrypt your input data like your private key so if their is no SSL on top of the site its better to not put any private data even if the URL is same like before.

Downloading MEW github and signing transaction locally is not that hard but many newbie might end up getting confused with all those things. We are born familiar with easy to navigate user interface in our payment wallet... Wink


It is just being hacked because some ppl always accessing their funds in mew and hackers find a way how to spoof their DNS but in theory DNS spoofing is only available if you have the same router connection or the hacker is well-versed.

legendary
Activity: 1218
Merit: 1006
April 30, 2018, 08:45:16 AM
#16
I still find metamask toolbar pretty safe compared to MEW for my ETH but its bad that metamask still can't broadcast token's transaction so at end we have to rely on MEW to send tokens out of metamask.

MEW recently got their DNS hacked (as they claim) and many lost their ETH who have accessed site but didn't care about the invalid SSL certificate at the top during the hack.

SSL certificate is there to encrypt your input data like your private key so if their is no SSL on top of the site its better to not put any private data even if the URL is same like before.

Downloading MEW github and signing transaction locally is not that hard but many newbie might end up getting confused with all those things. We are born familiar with easy to navigate user interface in our payment wallet... Wink
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
April 28, 2018, 05:17:45 PM
#15
The invalid SSL certificate should have been an obvious tip-off not to enter your keys. It's not a fail-safe, as SSL certificates can be faked, but this wasn't the most sophisticated hack.

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

Just to be clear, they did this by replacing the DNS entry? This is similar to the Etherdelta compromise a while back, correct?

If you are careful and you shouldn't put too much ETH in MEW.

You can run it locally and generate private keys and transactions on an offline machine. Transactions are a bit of a hassle because you have to manually adjust some things in the raw transactions. Using it like an online wallet (like Blockchain.info) was never particularly safe. The site or DNS registry could always be compromised and malicious code injected after users log in. This is true of Blockchain.info or Greenaddress.it as well.

As Greenaddress says on their "best practices" page:
Quote
Using a web wallet means that the underlying code can be changed at any moment. If your browser is compromised, or GreenAddress hacked, someone could hijack your session and steal your keys.
hero member
Activity: 826
Merit: 518
April 28, 2018, 03:48:24 AM
#14
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

I have around 4 tokens in my MEW wallet but I did not find the issue on having my tokens there. DNS issue will not be occur if you have no issue on the port side and accessing with the right URL.
I have read this news and found port is the problem and hackers may attack it.
But it is still a safe wallet according to me as I did not loose any money on MEW.
I am also having some tokens on MEW but not in huge amount so hackers might not interested in it,but for the people who are investing largely in tokens to earn money in short term are need to be careful in storing their funds.But as far as I know MEW is bet for tokens if someone want to save only ETH we have so mny multi wallets which can be safe and we can add 2FA to increase the security.But if the fund is large then don't hesitate to spend $100 on buying the hardware wallet which is most secure wallet.
hero member
Activity: 3038
Merit: 634
April 26, 2018, 08:25:13 PM
#13
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

Its okay to put up huge amount of ETH on our MEW wallet as long we didnt able to put up our private keys into a phishing site or being compromised by other people.There no way you can able to get the funds as long you dont have the key which we should really focus on keeping our private keys safe.
It's your opinion so I would respect your intuition that it's okay to put that huge amount of ETH in MEW.

The situation is that you are being redirected to a phishing link without knowing that the server was hacked and you are comfortable since it's the real and legit website of MEW but the case here is that the legit server, website was compromised.

If you still think that it's safe to pile your ETH on MEW, it's your choice not mine.
hero member
Activity: 896
Merit: 520
April 26, 2018, 12:23:16 PM
#12
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

I have around 4 tokens in my MEW wallet but I did not find the issue on having my tokens there. DNS issue will not be occur if you have no issue on the port side and accessing with the right URL.
I have read this news and found port is the problem and hackers may attack it.
But it is still a safe wallet according to me as I did not loose any money on MEW.
hero member
Activity: 2996
Merit: 609
April 26, 2018, 08:43:26 AM
#11
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

Its okay to put up huge amount of ETH on our MEW wallet as long we didnt able to put up our private keys into a phishing site or being compromised by other people.There no way you can able to get the funds as long you dont have the key which we should really focus on keeping our private keys safe.
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.
MEW is really popular when storing up Eth and other erc20 tokens which same as you said it does support all on most tokens thats why its primarily targeted by hackers due to lots of users do make coin storage.
sr. member
Activity: 686
Merit: 264
"STAY IN THE DARK"
April 26, 2018, 05:55:14 AM
#10
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.
hero member
Activity: 3038
Merit: 634
April 26, 2018, 01:33:21 AM
#9
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).
legendary
Activity: 3486
Merit: 1055
Leading Crypto Sports Betting & Casino Platform
April 25, 2018, 06:58:42 PM
#8
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
sr. member
Activity: 2226
Merit: 347
April 25, 2018, 05:45:10 PM
#7
According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.
Been using MEW eversince when i do store up erc20 tokens but i havent experienced any issues on setting out gas even though they do make suggestion anytime of 21gwei but still you would able to push out with just 2 gwei on non-inflated network or do have lots of transactions.Lucky for me that everytime that MEW is compromised or do have attacks or issues i havent logged in my MEW accounts which i do avoid those possible loss of tokens.

Reading up on op,i didnt expect another vulnerability by just using up router or wifi connection. How possible? You cant broadcast transaction if connection is absent.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
April 25, 2018, 05:05:32 PM
#6
According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.
legendary
Activity: 2758
Merit: 6830
April 25, 2018, 11:26:09 AM
#5
Perhaps if you will only check the balance of your ETH.
Why? Can't you do everything in the local version - including creating and broadcasting transactions?

Are you saying that there are limitations?
copper member
Activity: 434
Merit: 278
Offering Escrow 0.5 % fee
April 25, 2018, 11:21:09 AM
#4
I deem the way it was compromised is from javascripting someone inject the script like coinhive script if you sent ETH to an address it will be sent to the specified in the script.

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Perhaps if you will only check the balance of your ETH.


hero member
Activity: 714
Merit: 528
April 24, 2018, 09:42:30 PM
#3
Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Wait, I thought MEW still connects to internet even when opened Locally.
You know, to load Tokens balance, create a new Token listing and to broadcast transactions?
Anyway, since it's DNS spoofing, we can easily tell when your MEW are being hijacked when the certificate returns as false Smiley
legendary
Activity: 2758
Merit: 6830
April 24, 2018, 05:16:33 PM
#2
Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
copper member
Activity: 434
Merit: 278
Offering Escrow 0.5 % fee
April 24, 2018, 12:05:57 PM
#1
If someone know your wifi password it is quite possible to compromise everything about you including your MEW/any wallet available as of the moment I know how certain things work from a perspective of a white hat hacker but being unable to study it for a few days now.

Take care.

Reference: https://www.reddit.com/r/MyEtherWallet/comments/8ek0jj/think_i_got_scammedphishedhacked/
Jump to: