Bitcoin Forum
November 04, 2024, 05:24:52 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 »  All
  Print  
Author Topic: There's a vulnerability found in MEW.  (Read 202 times)
Cobalt9317 (OP)
Copper Member
Sr. Member
****
Offline Offline

Activity: 434
Merit: 278

Offering Escrow 0.5 % fee


View Profile WWW
April 24, 2018, 05:05:57 PM
 #1

If someone know your wifi password it is quite possible to compromise everything about you including your MEW/any wallet available as of the moment I know how certain things work from a perspective of a white hat hacker but being unable to study it for a few days now.

Take care.

Reference: https://www.reddit.com/r/MyEtherWallet/comments/8ek0jj/think_i_got_scammedphishedhacked/
TryNinja
Legendary
*
Offline Offline

Activity: 3010
Merit: 7428


Top Crypto Casino


View Profile WWW
April 24, 2018, 10:16:33 PM
 #2

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
teddy5145
Hero Member
*****
Offline Offline

Activity: 714
Merit: 528


View Profile
April 25, 2018, 02:42:30 AM
 #3

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Wait, I thought MEW still connects to internet even when opened Locally.
You know, to load Tokens balance, create a new Token listing and to broadcast transactions?
Anyway, since it's DNS spoofing, we can easily tell when your MEW are being hijacked when the certificate returns as false Smiley
Cobalt9317 (OP)
Copper Member
Sr. Member
****
Offline Offline

Activity: 434
Merit: 278

Offering Escrow 0.5 % fee


View Profile WWW
April 25, 2018, 04:21:09 PM
 #4

I deem the way it was compromised is from javascripting someone inject the script like coinhive script if you sent ETH to an address it will be sent to the specified in the script.

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Perhaps if you will only check the balance of your ETH.


TryNinja
Legendary
*
Offline Offline

Activity: 3010
Merit: 7428


Top Crypto Casino


View Profile WWW
April 25, 2018, 04:26:09 PM
 #5

Perhaps if you will only check the balance of your ETH.
Why? Can't you do everything in the local version - including creating and broadcasting transactions?

Are you saying that there are limitations?

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
BitMaxz
Legendary
*
Offline Offline

Activity: 3430
Merit: 3165


Playbet.io - Crypto Casino and Sportsbook


View Profile WWW
April 25, 2018, 10:05:32 PM
 #6

According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.

███████████████
█████████████████████
██████▄▄███████████████
██████▐████▄▄████████████
██████▐██▀▀▀██▄▄█████████
████████▌█████▀██▄▄██████
██████████████████▌█████
█████████████▀▄██▀▀██████
██████▐██▄▄█▌███████████
██████▐████▀█████████████
██████▀▀███████████████
█████████████████████
███████████████

.... ..Playbet.io..Casino & Sportsbook.....Grab up to  BTC + 800 Free Spins........
████████████████████████████████████████
██████████████████████████████████████████████
██████▄▄████████████████████████████████████████
██████▐████▄▄█████████████████████████████████████
██████▐██▀▀▀██▄▄██████████████████████████████████
████████▌█████▀██▄▄█████▄███▄███▄███▄█████████████
██████████████████▌████▀░░██▌██▄▄▄██████████████
█████████████▀▄██▀▀█████▄░░██▌██▄░░▄▄████▄███████
██████▐██▄▄█▌██████████▀███▀███▀███▀███▀█████████
██████▐████▀██████████████████████████████████████
██████▀▀████████████████████████████████████████
██████████████████████████████████████████████
████████████████████████████████████████
Fatunad
Sr. Member
****
Offline Offline

Activity: 2296
Merit: 360


View Profile
April 25, 2018, 10:45:10 PM
 #7

According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.
Been using MEW eversince when i do store up erc20 tokens but i havent experienced any issues on setting out gas even though they do make suggestion anytime of 21gwei but still you would able to push out with just 2 gwei on non-inflated network or do have lots of transactions.Lucky for me that everytime that MEW is compromised or do have attacks or issues i havent logged in my MEW accounts which i do avoid those possible loss of tokens.

Reading up on op,i didnt expect another vulnerability by just using up router or wifi connection. How possible? You cant broadcast transaction if connection is absent.
hahay
Legendary
*
Offline Offline

Activity: 3640
Merit: 1056


Leading Crypto Sports Betting & Casino Platform


View Profile
April 25, 2018, 11:58:42 PM
 #8

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
sunsilk
Hero Member
*****
Offline Offline

Activity: 3094
Merit: 634



View Profile
April 26, 2018, 06:33:21 AM
 #9

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

St4yInTh3D4rk
Sr. Member
****
Offline Offline

Activity: 686
Merit: 264


"STAY IN THE DARK"


View Profile
April 26, 2018, 10:55:14 AM
 #10

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

bustadice         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
[bustadice.
Play
bustadice]

Hero/Legendary
..bustadice..              ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
Oilacris
Hero Member
*****
Offline Offline

Activity: 3192
Merit: 621



View Profile
April 26, 2018, 01:43:26 PM
 #11

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

Its okay to put up huge amount of ETH on our MEW wallet as long we didnt able to put up our private keys into a phishing site or being compromised by other people.There no way you can able to get the funds as long you dont have the key which we should really focus on keeping our private keys safe.
I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.
MEW is really popular when storing up Eth and other erc20 tokens which same as you said it does support all on most tokens thats why its primarily targeted by hackers due to lots of users do make coin storage.

Mister1k
Hero Member
*****
Offline Offline

Activity: 896
Merit: 520



View Profile
April 26, 2018, 05:23:16 PM
 #12

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

I have around 4 tokens in my MEW wallet but I did not find the issue on having my tokens there. DNS issue will not be occur if you have no issue on the port side and accessing with the right URL.
I have read this news and found port is the problem and hackers may attack it.
But it is still a safe wallet according to me as I did not loose any money on MEW.
sunsilk
Hero Member
*****
Offline Offline

Activity: 3094
Merit: 634



View Profile
April 27, 2018, 01:25:13 AM
 #13

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).

Its okay to put up huge amount of ETH on our MEW wallet as long we didnt able to put up our private keys into a phishing site or being compromised by other people.There no way you can able to get the funds as long you dont have the key which we should really focus on keeping our private keys safe.
It's your opinion so I would respect your intuition that it's okay to put that huge amount of ETH in MEW.

The situation is that you are being redirected to a phishing link without knowing that the server was hacked and you are comfortable since it's the real and legit website of MEW but the case here is that the legit server, website was compromised.

If you still think that it's safe to pile your ETH on MEW, it's your choice not mine.

supermine
Hero Member
*****
Offline Offline

Activity: 826
Merit: 518


View Profile
April 28, 2018, 08:48:24 AM
 #14

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
Hackers are smart people so their actions may not be familiar for normal persons but MEW is not safe as paper wallet of hardware wallet so we never have to save big amount of funds in MEW.

But anyone knows what will be the solution for this?because MEW is the only wallet which supports all the tokens so what we havr to do now to secure our funds.

I have around 4 tokens in my MEW wallet but I did not find the issue on having my tokens there. DNS issue will not be occur if you have no issue on the port side and accessing with the right URL.
I have read this news and found port is the problem and hackers may attack it.
But it is still a safe wallet according to me as I did not loose any money on MEW.
I am also having some tokens on MEW but not in huge amount so hackers might not interested in it,but for the people who are investing largely in tokens to earn money in short term are need to be careful in storing their funds.But as far as I know MEW is bet for tokens if someone want to save only ETH we have so mny multi wallets which can be safe and we can add 2FA to increase the security.But if the fund is large then don't hesitate to spend $100 on buying the hardware wallet which is most secure wallet.
squatter
Legendary
*
Offline Offline

Activity: 1666
Merit: 1196


STOP SNITCHIN'


View Profile
April 28, 2018, 10:17:45 PM
 #15

The invalid SSL certificate should have been an obvious tip-off not to enter your keys. It's not a fail-safe, as SSL certificates can be faked, but this wasn't the most sophisticated hack.

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

Just to be clear, they did this by replacing the DNS entry? This is similar to the Etherdelta compromise a while back, correct?

If you are careful and you shouldn't put too much ETH in MEW.

You can run it locally and generate private keys and transactions on an offline machine. Transactions are a bit of a hassle because you have to manually adjust some things in the raw transactions. Using it like an online wallet (like Blockchain.info) was never particularly safe. The site or DNS registry could always be compromised and malicious code injected after users log in. This is true of Blockchain.info or Greenaddress.it as well.

As Greenaddress says on their "best practices" page:
Quote
Using a web wallet means that the underlying code can be changed at any moment. If your browser is compromised, or GreenAddress hacked, someone could hijack your session and steal your keys.

mobnepal
Legendary
*
Offline Offline

Activity: 1218
Merit: 1006


View Profile
April 30, 2018, 01:45:16 PM
 #16

I still find metamask toolbar pretty safe compared to MEW for my ETH but its bad that metamask still can't broadcast token's transaction so at end we have to rely on MEW to send tokens out of metamask.

MEW recently got their DNS hacked (as they claim) and many lost their ETH who have accessed site but didn't care about the invalid SSL certificate at the top during the hack.

SSL certificate is there to encrypt your input data like your private key so if their is no SSL on top of the site its better to not put any private data even if the URL is same like before.

Downloading MEW github and signing transaction locally is not that hard but many newbie might end up getting confused with all those things. We are born familiar with easy to navigate user interface in our payment wallet... Wink
Cobalt9317 (OP)
Copper Member
Sr. Member
****
Offline Offline

Activity: 434
Merit: 278

Offering Escrow 0.5 % fee


View Profile WWW
May 01, 2018, 08:30:05 AM
 #17

Easiest solution ever: Download the MEW source code from its GitHub repo (https://github.com/kvhnuke/etherwallet/releases) and always run it locally. No more DNS spoofing!
Wait, I thought MEW still connects to internet even when opened Locally.
You know, to load Tokens balance, create a new Token listing and to broadcast transactions?
Anyway, since it's DNS spoofing, we can easily tell when your MEW are being hijacked when the certificate returns as false Smiley

Technically yes in signing a transaction you do not need an internet connection AFAIK.

Perhaps if you will only check the balance of your ETH.
Why? Can't you do everything in the local version - including creating and broadcasting transactions?

Are you saying that there are limitations?

Yeah I'm only using version on github when I'm signing a transaction, and then change PC to broadcast the transaction.
In my side there is limitations.

According to the other comment from the pos, Google DNS is collecting data that can steal your ethereum.

Well, I stop using mew past few months due to confused how their gas works when sending ethereum to another wallet it's always failed and I tried different gas limit, but same until my ethereum reduces my balance because of a failed transaction.

The only good thing in MEW its supports all tokens compared to other wallets.

I switch to metamask as of now I still did not experience any issue yet when sending ethereum and I use this wallet for receiving mined ethereum and bought tokens from ICO's projects.
Google dns spoofing is false. as long as someone isn't manipulating your router you are good to go every time to make transaction and other stuff.

I have experienced the same fate where all my eth was consumed in a transaction fee that never been sent.

Been using MEW eversince when i do store up erc20 tokens but i havent experienced any issues on setting out gas even though they do make suggestion anytime of 21gwei but still you would able to push out with just 2 gwei on non-inflated network or do have lots of transactions.Lucky for me that everytime that MEW is compromised or do have attacks or issues i havent logged in my MEW accounts which i do avoid those possible loss of tokens.

Reading up on op,i didnt expect another vulnerability by just using up router or wifi connection. How possible? You cant broadcast transaction if connection is absent.
I even do have a different PC when accessing my mew funds luckily I don't even have much to worry about my router connection if it has been jockeyed or what not.

Using a different connection in where you possibly believe that the connection is very secure because it could increase the possibility of your funds being well protected  Roll Eyes

I am also having some tokens on MEW but not in huge amount so hackers might not interested in it,but for the people who are investing largely in tokens to earn money in short term are need to be careful in storing their funds.But as far as I know MEW is bet for tokens if someone want to save only ETH we have so mny multi wallets which can be safe and we can add 2FA to increase the security.But if the fund is large then don't hesitate to spend $100 on buying the hardware wallet which is most secure wallet.
Hardware wallet is good you only have to access the funds in it if necessary or you just have to whether to cash out something or need a financial support better late than sorry IMHO.

The invalid SSL certificate should have been an obvious tip-off not to enter your keys. It's not a fail-safe, as SSL certificates can be faked, but this wasn't the most sophisticated hack.
~snip~
That's what I'm talking about as long as your connection isn't compromised or the website in which you trust didn't jockeyed or something your funds is safer than your life.

Everyday black hat hackers are being ingenious to device something in a particular manner that even your browser couldn't even detect that there was something not right and you just know it when it happens.

I still find metamask toolbar pretty safe compared to MEW for my ETH but its bad that metamask still can't broadcast token's transaction so at end we have to rely on MEW to send tokens out of metamask.

MEW recently got their DNS hacked (as they claim) and many lost their ETH who have accessed site but didn't care about the invalid SSL certificate at the top during the hack.

SSL certificate is there to encrypt your input data like your private key so if their is no SSL on top of the site its better to not put any private data even if the URL is same like before.

Downloading MEW github and signing transaction locally is not that hard but many newbie might end up getting confused with all those things. We are born familiar with easy to navigate user interface in our payment wallet... Wink


It is just being hacked because some ppl always accessing their funds in mew and hackers find a way how to spoof their DNS but in theory DNS spoofing is only available if you have the same router connection or the hacker is well-versed.

Ilegendph
Full Member
***
Offline Offline

Activity: 434
Merit: 103


Thinking on the higher plane of existence.


View Profile WWW
May 02, 2018, 02:41:47 PM
 #18

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).


This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.

E C O S T A R T |                              telegram      twitter      facebook                     Instant and transparent
                                   WE CREATE A CRYPTOCURRENCY FOR OUR PLANET  ▬▬▬▬   financing of environmental
[   WHITEPAPER      ONEPAGER   ]                JOIN                               projects.     
reflector
Sr. Member
****
Offline Offline

Activity: 826
Merit: 263



View Profile
May 02, 2018, 07:19:21 PM
 #19

I do not understand how a hacker can find or break a private key in an online wallet like MEW just by knowing the password on WIFI. Yes, I do not know the hack world, but being careful about using passwords and keeping private keys is absolutely essential.
They hacked the DNS and attacked MEW through there and the hacker leads the users after visiting MEW redirecting them to a phishing site.

And in that case, that's how they collect data, private keys,JSON file, etc. that will allow them to gain access to the funds of the users.

If you are careful and you shouldn't put too much ETH in MEW.

This is how they did the attack and hack (Correct me if I'm wrong).


This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.

Hey etherdelta is the exchange it is not private key secured as I know. I do not know why you are comparing the exchange wallet with the MEW. These both are different variant mate.
I do not find the people using the wifi or on sharing network loosing their fund on MEW wallet. I have more 6 tokens in 2 MEW wallets but I did not get any issue. DNS spoofing is possible but how could accept that they can track your private key or json file.
If DNS changing means you are not on a right URL. If we make correct, we will not get the problem at all.
Cobalt9317 (OP)
Copper Member
Sr. Member
****
Offline Offline

Activity: 434
Merit: 278

Offering Escrow 0.5 % fee


View Profile WWW
May 03, 2018, 11:23:54 AM
 #20

This kind of problem is not new nowadays and in fact this method is the one used to attack etherdelta that caused great loss to both investor and the exchange site.
Stop spamming guys because of your paid signature please avoid that sort of behavior as it kind of sucks to feed anyone reading this with false information and misleading knowledge.

Your campaign manager could be a good person and pay you with 5 post in a week if s/he considers that your post really contributed something somehow rather than posting a 30 senseless reply.

Even if I don't know what happened to Etherdelta AFAIK just don't get (phished).

Hey etherdelta is the exchange it is not private key secured as I know. I do not know why you are comparing the exchange wallet with the MEW. These both are different variant mate.
I do not find the people using the wifi or on sharing network loosing their fund on MEW wallet. I have more 6 tokens in 2 MEW wallets but I did not get any issue. DNS spoofing is possible but how could accept that they can track your private key or json file.
If DNS changing means you are not on a right URL. If we make correct, we will not get the problem at all.
Wrong the cache of your google chrome or mozilla or whatever browser you are using could be steal and when you browse and log in to etherdelta somehow if I use the cache in your PC I am also log in with your etherdelta accoun in which case I can hurriedly withdraw all your funds.

And even if the withdrawal request goes to your email account I'll just go to that website and if you didn't clean your browsing history chances are indeed you are automatically log in with your gmail/yahoo/ or (any) email you've been using in a months.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!