This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.
Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
Google has a good introduction to using them here: https://csp.withgoogle.com/
CSP doesn't mean that people should forget about proper HTML encoding of user input, but it means that when a developer messes that up somewhere, the issue is generally a minor formatting glitch rather than an exploitable flaw that lets attackers do whatever they want with users' browsers within your domain (like steal thousands of dollars). It's some invaluable defense-in-depth.
Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
https://news.ycombinator.com/item?id=15321015
"I put it to you that it’s impossible to write secure web apps."
Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?
At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.
If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.
Good luck, folks. I'm still going to maintain the wait-and-see approach.
What's the fun in that?
Did Samy say "Maybe I should ask the user if they want to friend me"? NO! He said "People want to friend me" and "LOL MYSPACE XSS", then became the most popular person on the network overnight.
After Tom, of course, who cheated.
Hugh hype was created.
Last time: It was safe because it was back by mortgage.
This time: It is safe because it is back by crypto algorithm.
Last time few smart insiders got billions richer and unload everything before the bubble burst.
And the time ...... (Love to see all imaginable endings to this time's story - good or bad)
I'd do the same with cryptocurrency, but I can't figure out how. My 2008 investments were pretty risk-free. Of course the economy was going to recover. It always does.
I've no idea how to do that with cryptocurrency.
If you look at the kind of attacks that happen I feel like two major problems came from the fact that addresses can be real account addresses or contracts (it could have been good to segregate them) and errors/exceptions don't propagate well.
Code will always have bugs, and you cannot truly understand how something written in a Turing complete language will behave without running it.
> very painful tool if mishandled
Part of being a skilled craftsman is choosing the right tools, which includes understanding and respecting their limits. The language for writing contracts makes all state mutable by default, has ambiguous operators that change behavior depending on storage location or if the operand was a literal, and doesn't defined the order of evaluation for expressions, to name just a few of it's design problems[1]. This isn't a "useful tool:", it's a strong indicator of a another fractal of bad design[2].
The article is out of date. People are saying the amount is now $6 billion.
> Which as of this writing, has over $130,000 worth of Ethereum and over 88,000 transactions.
[1] https://medium.com/@decktonic/following-the-trail-what-we-kn...
