EOS account security risk: How the attack happens and how to defend it?
Slow fog security team warns of EOS account security risk. The team mentioned that the EOS wallet developer strictly judges the node confirmation (at least 15 confirmation nodes) to inform the user that an account has been successfully created. If it not properly judged then a fake account attack may occur.
How does the attack take place?
The attack can take place when a user uses an EOS wallet to register an account and the wallet prompts that the registration is successful, but the judgment is not strict, the account essence is not registered yet. User use the account to withdraw cash from a transaction. If any part of the process is malicious, it might cause the user to withdraw from an account that is not his own.
How to defend against the attack?
Poll the node and return the irreversible block information and then prompt the success. The specific technical process includes: push_transaction to get trx_id, request interface POST /v1/history/get_transaction and in the return parameter, block_num is less than or equal to last_irreversible_block, which is irreversible.
Recently, a blockchain security company, PeckShield recently analyzed the security of EOS accounts and found that some users were using a secret key to serious security risks. The found that the main cause of the problem is that the part of the secret key generation tool allows the users to use a weak mnemonic combination. And, the secret key that’s generated in this way is more prone to "rainbow" attacks. It can even lead to the theft of digital assets.
PeckShield wrote, “The essence of the risk is caused by an improper use of third-party EOS key-pair generation tools, including but not limited to EOSTEA. With user-provided seeds, these tools greatly facilitate users to generate their EOS key pairs.”
They also added a solution saying, “…if a simple seed is chosen (by the user) and allowed (by the tool), the generated keys might be exposed and exploited by launching the rainbow table attack (or dictionary attack).” They mentioned in their blog that in order to protect affected holders, PeckShield will be launching a public service known as EOSRescuer.
Source: Huobi, More.top and WTF