Topic: There's a vulnerability found in MEW. (Read 187 times)

You can check the SSL security certificate on your browser itself and then hijacking session is not at all that much easy but you can attack the wallet with the help of phishing sites which is similar like the MEW wallet.
If you enter your private key on the MEW copy, surely you will loose all your fund on that wallet.
I am not sure they will be able to steel the tokens without the ethereum balance as well. If any one clarify on it. That would be better to understand.

Man-in-the-middle-attacks can capture post requests, hijack sessions, strip SSL connection and do other malicious attacks to steal your passwords. Be very careful with who you give access to your internet, never put your access-point on open.

Stop spamming guys because of your paid signature please avoid that sort of behavior as it kind of sucks to feed anyone reading this with false information and misleading knowledge.

Your campaign manager could be a good person and pay you with 5 post in a week if s/he considers that your post really contributed something somehow rather than posting a 30 senseless reply.

Even if I don't know what happened to Etherdelta AFAIK just don't get (phished).

Wrong the cache of your google chrome or mozilla or whatever browser you are using could be steal and when you browse and log in to etherdelta somehow if I use the cache in your PC I am also log in with your etherdelta accoun in which case I can hurriedly withdraw all your funds.

And even if the withdrawal request goes to your email account I'll just go to that website and if you didn't clean your browsing history chances are indeed you are automatically log in with your gmail/yahoo/ or (any) email you've been using in a months.

Hey etherdelta is the exchange it is not private key secured as I know. I do not know why you are comparing the exchange wallet with the MEW. These both are different variant mate.
I do not find the people using the wifi or on sharing network loosing their fund on MEW wallet. I have more 6 tokens in 2 MEW wallets but I did not get any issue. DNS spoofing is possible but how could accept that they can track your private key or json file.
If DNS changing means you are not on a right URL. If we make correct, we will not get the problem at all.

This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.

Technically yes in signing a transaction you do not need an internet connection AFAIK.


Yeah I'm only using version on github when I'm signing a transaction, and then change PC to broadcast the transaction.
In my side there is limitations.

Google dns spoofing is false. as long as someone isn't manipulating your router you are good to go every time to make transaction and other stuff.

I have experienced the same fate where all my eth was consumed in a transaction fee that never been sent.

I even do have a different PC when accessing my mew funds luckily I don't even have much to worry about my router connection if it has been jockeyed or what not.

Using a different connection in where you possibly believe that the connection is very secure because it could increase the possibility of your funds being well protected  

Hardware wallet is good you only have to access the funds in it if necessary or you just have to whether to cash out something or need a financial support better late than sorry IMHO.

That's what I'm talking about as long as your connection isn't compromised or the website in which you trust didn't jockeyed or something your funds is safer than your life.

Everyday black hat hackers are being ingenious to device something in a particular manner that even your browser couldn't even detect that there was something not right and you just know it when it happens.


It is just being hacked because some ppl always accessing their funds in mew and hackers find a way how to spoof their DNS but in theory DNS spoofing is only available if you have the same router connection or the hacker is well-versed.

I still find metamask toolbar pretty safe compared to MEW for my ETH but its bad that metamask still can't broadcast token's transaction so at end we have to rely on MEW to send tokens out of metamask.

MEW recently got their DNS hacked (as they claim) and many lost their ETH who have accessed site but didn't care about the invalid SSL certificate at the top during the hack.

SSL certificate is there to encrypt your input data like your private key so if their is no SSL on top of the site its better to not put any private data even if the URL is same like before.

Downloading MEW github and signing transaction locally is not that hard but many newbie might end up getting confused with all those things. We are born familiar with easy to navigate user interface in our payment wallet...

The invalid SSL certificate should have been an obvious tip-off not to enter your keys. It's not a fail-safe, as SSL certificates can be faked, but this wasn't the most sophisticated hack.


Just to be clear, they did this by replacing the DNS entry? This is similar to the Etherdelta compromise a while back, correct?


You can run it locally and generate private keys and transactions on an offline machine. Transactions are a bit of a hassle because you have to manually adjust some things in the raw transactions. Using it like an online wallet (like Blockchain.info) was never particularly safe. The site or DNS registry could always be compromised and malicious code injected after users log in. This is true of Blockchain.info or Greenaddress.it as well.

As Greenaddress says on their "best practices" page:

I am also having some tokens on MEW but not in huge amount so hackers might not interested in it,but for the people who are investing largely in tokens to earn money in short term are need to be careful in storing their funds.But as far as I know MEW is bet for tokens if someone want to save only ETH we have so mny multi wallets which can be safe and we can add 2FA to increase the security.But if the fund is large then don't hesitate to spend $100 on buying the hardware wallet which is most secure wallet.

It's your opinion so I would respect your intuition that it's okay to put that huge amount of ETH in MEW.

The situation is that you are being redirected to a phishing link without knowing that the server was hacked and you are comfortable since it's the real and legit website of MEW but the case here is that the legit server, website was compromised.

If you still think that it's safe to pile your ETH on MEW, it's your choice not mine.

I have around 4 tokens in my MEW wallet but I did not find the issue on having my tokens there. DNS issue will not be occur if you have no issue on the port side and accessing with the right URL.
I have read this news and found port is the problem and hackers may attack it.
But it is still a safe wallet according to me as I did not loose any money on MEW.

Its okay to put up huge amount of ETH on our MEW wallet as long we didnt able to put up our private keys into a phishing site or being compromised by other people.There no way you can able to get the funds as long you dont have the key which we should really focus on keeping our private keys safe.
MEW is really popular when storing up Eth and other erc20 tokens which same as you said it does support all on most tokens thats why its primarily targeted by hackers due to lots of users do make coin storage.

Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.

Been using MEW eversince when i do store up erc20 tokens but i havent experienced any issues on setting out gas even though they do make suggestion anytime of 21gwei but still you would able to push out with just 2 gwei on non-inflated network or do have lots of transactions.Lucky for me that everytime that MEW is compromised or do have attacks or issues i havent logged in my MEW accounts which i do avoid those possible loss of tokens.

Reading up on op,i didnt expect another vulnerability by just using up router or wifi connection. How possible? You cant broadcast transaction if connection is absent.

According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.

Why? Can't you do everything in the local version - including creating and broadcasting transactions?

Are you saying that there are limitations?

I deem the way it was compromised is from javascripting someone inject the script like coinhive script if you sent ETH to an address it will be sent to the specified in the script.

Perhaps if you will only check the balance of your ETH.

Wait, I thought MEW still connects to internet even when opened Locally.
You know, to load Tokens balance, create a new Token listing and to broadcast transactions?
Anyway, since it's DNS spoofing, we can easily tell when your MEW are being hijacked when the certificate returns as false

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!

If someone know your wifi password it is quite possible to compromise everything about you including your MEW/any wallet available as of the moment I know how certain things work from a perspective of a white hat hacker but being unable to study it for a few days now.

Take care.

Reference: https://www.reddit.com/r/MyEtherWallet/comments/8ek0jj/think_i_got_scammedphishedhacked/