Someone’s scanning EOS nodes for accidentally exposed private keys

Posted: 1 June 2018 2:19 pm

Someone's wandering around EOS, looking for anyone who has left their keys hanging in the open.

It's generally a good idea to have a solid grasp of the technicals if you want to run a node, program blockchain machinery like wallets, or otherwise go deep. An ongoing scan of EOS nodes, by an unknown potential attacker, shows why.

GreyNoise Intelligence has found someone scanning EOS nodes in search of one very specific vulnerability.

What they're looking for

This scan is based on a GitHub issue posted about a week ago, in which the "/v1/wallet/list_keys" – which the scanner is targeting – might reveal private keys.

The unknown scanner will most likely come up empty handed. The function was simply intended for ease of testing rather than use in a live environment, so anyone who's vulnerable to that particular issue has made a big mistake somewhere down the line or copy pasted code a little too carelessly.

This potential vulnerability isn't a flaw in EOS, so much as a specific form of user error. Much like most home burglaries begin with someone wandering around looking for open windows and unlocked doors.

It's not related to the recently discovered, quickly repaired and incredibly devastating EOS vulnerability which actually was an issue with EOS itself.

It's interesting to note that this shows attackers are delving into GitHub looking for exploitable bugs. Although it's reassuring that it took them about a week to get around to it and that they'll most likely come up empty handed. It might be worth a shot though. Everyone makes mistakes, and if they get lucky, there's a potential for a big payday at the end of the scanning.

These kinds of scans aren't unique to EOS, or even to blockchain technology. Rather they're more like the constant background noise of the Internet. Attackers are constantly scanning ports across the Internet looking for vulnerabilities and any opportunity to pick up any kind of potentially profitable information.

"Honeypot" ports around the Internet are constantly subjected to these kinds of probes, although cryptocurrency networks tend to be probed more hungrily than the Internet as a whole. This is probably because vulnerabilities on a blockchain might lead an attacker to a huge payday, rather than just some dusty old passwords or a backdoor into an abandoned website or something.

These EOS scans probably aren't anything to worry about. For those who do need to worry, it's probably already too late.

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site