If you hold any of the coins in this image, you better sit the fuck down because the devs likely have your private keys. We have not publicly posted about this anywhere except the slacks; you guys are in for a FUCKING TREAT.
Me and Chang discovered this because of an old deprecated ARK api endpoint. We noticed that your private key was being broadcast to the dev team's main node. After speaking with the ARK devs, we were told that they found out about this old VERY BAD endpoint shortly after they forked from LISK, and that LISK still uses is AND DID NOT CARE (see image in my next reply).
Okay I guess. I don't give a shit about LISK. If their delegates want to send their private keys to the devs, why should I care? But then I heard about RISE and people wanted us to start a delegate, so we began to do our due diligence...
After doing some further digging, the rabbit hole seems to go far far deeper than we originally thought. Out of all four of the coins, only ARK is not affected by this because they spotted it and removed it.
IF YOU OWN LISK, SHIFT, OR RISE, ALL THEIR WEB WALLETS SEND YOUR PRIVATE KEY IN PLAIN TEXT TO THE SERVER. THIS MEANS THAT THE DEVS HAVE ACCESS TO YOUR PRIVATE KEY AND COINS.
But, it's even better than this. The official LISK API broadcasts your private key to the dev's main node, so delegate keys are send to them every time a delegate makes a transaction.
LISK-Nano does this too. RISE has no desktop wallet and their web wallet is currently the only way to access your coins. Both the new AND old chain of RISE is affected.
SHIFT's web wallet, same deal. This is probably why ARK opted to not have a web wallet.
Instead of client-side signing, ALL OF THESE CRYPTOS SEND YOUR KEYS OUT IN PLAINTEXT.
Here's the EXACT code to show you, because I'm sure the flood of "ARK SHILLS" is gonna come streaming in. Anyone who can read code can verify this for themselves. Here's the code shared between ALL of these coins:
LISK-Nano is a "light" wallet and doesn't host a node on localhost, so the key is broadcast in plaintext.
SHIFT doesn't even have a desktop wallet.
RISE has no desktop wallet, but they're working on an ARK clone desktop wallet, which is SECURE. However, the web wallet is not.
If you are holding these coins and have ever used the web wallet or the official API, you are compromised.
If you are a DELEGATE on any of these coins and have sent ANY transaction out, you are compromised.
The second passphrase feature of these coins does the same thing - your second passphrase is sent in plaintext to the dev nodes so they can sign and broadcast.
LISK is primarily to blame for this. They knew about this for YEARS and did nothing and didn't care (see screenshot in next reply).
Buckle up, it's gonna be a bumpy ride.
Image is LISK claiming it's "not a bug" to have your private key sent out, because "they encrypt it". They don't think this is a problem.
Asher Roberts
So you're saying short this shit right this second?
Ayden Collins
Friend, please stop the lies spreading
Isaac Hall
Image of Chang's conversation with the lead ARK dev, who claims that LISK was notified and does not care.
Cameron Powell
Bump
Josiah Bailey
thanks rakesh
Angel Russell
I m not a rakesh, please
Jonathan Kelly
Buy ark it will moon
Brandon Flores
Here is an example anyone can do. Go to any of the web wallets, and login. Now press F12, go to the network tab and search for /accounts/open, and scroll down to "request payload". You will see your private key in plaintext, being sent over to their website.
LISK, RISE, and SHIFT all do this.
This is likely why ARK does not have a web wallet. The entire wallet would need to be rewritten to use client-side crypto in order for it to work. The devs were too lazy or simply didn't care that you send them their keys each time you use the wallets.
Isaac Peterson
Is very good coin will feed family
Andrew Green
Buy RISE and LISK. They are good, unlike ARK
Jose Collins
Yes, this man has the correct thoughts
Bentley Evans
...
Asher Morales
Will go all the way to Jupiter, buy ark on bittrex
Justin Baker
Honestly this image baffles me.
They really think encrypting the data solves anything? You're still sending off your private key to the devs. A rogue dev or sysadmin can easily empty everyone's wallets if he wanted to.
Jack Foster
this is what happens when webshits think they can (((program))) you can see how shit LISK is from a mile away even before this brainlets will deny this
Nathan Gomez
Oh and DNS poisoning
Xavier Russell
check the discord im about to post all the keys in 2mins
Thomas Smith
You guys better listen to the OP. He seems to know what he's talking about.
Landon Wright
Plz buy ark guys together we will moon to past the moon
Joshua Brooks
Thanks. The only reason I haven't withdrawn my shift from bittrex to the online wallet was pure laziness. I was probably going to do it in the next couple of days, so you've potentially really saved me there. Although this does make me wonder whether I want to hold it at all.
Eli Bailey
Thank you moon man & uncle Chang for doing your due diligence and keeping /biz in the loop!
How the fuck do you short this??? What exchange offers margin on shitcoins?
Thank you based moonman and Chang for posting this
Alexander Jenkins
Bump people need to see this
Robert Ortiz
I'm just over here trying to eat my newly opened bottle of glue.
Can someone explain to me what is going on?
Josiah Cooper
Shift, rise, lisk devs have most people's keys. It's probably not malicious and is just gross negligence, but a simple dns hijack or a rogue dev could literally clean out the entire network.
Lincoln Nelson
hmmm... why wasn't the FUD this intense for LSK and SHIFT then?
why did u goys let LSK get to $250mil market cap???
Parker Torres
***$400mil market cap peak
Blake James
Hahaha, I wonder if the devs have realized that yet?
Kayden Rogers
We're not the first ones to sound the alarm on this.
Perhaps the latest and loudest but certainly not the first ones. Francois, the Ark dev, sounded it a long time ago.
Josiah Brooks
thanks will try to use this to steal lisk can you guys help me make it work?
Nolan Young
>lard faggots making these FUD posts about small caps >doesn't remember that millions of ETH got stolen and the network get compromised almost weekly
keep trying faggots. you will not stop the RISE moon mission. :)
Mason Clark
Bump.
Cameron Peterson
hopefully secure coins will increase because ppl will just accept that buying gay shitcoins that are used for nothing is pointless
Bentley Robinson
I see, so rather than create a transaction and just send that, they have you send your private key instead?
Aaron Stewart
>given evidence yet still shoves his fingers in the electrical socket anyways.
Carson Carter
When has Veeky Forums ever been right?
Whatever biz shills, the complete opposite happens.
Matthew Green
That's exactly what happens.
John Green
Yup.
Ryder Brooks
Stage 1: Denial
Asher Jenkins
I'd call it centralized. What you're talking about is more like a problem crypto is supposed to solve. For instance, Credit card data has to be sent through a Post request, you can't work your way around it. With that in mind you have to be careful of every single site being secure with your CC info. Generally, they state they don't store the data, but you can't really know for certain.
However, with crypto you shouldn't have this problem and it shows a clear laziness on the part of the devs.
Noah Cook
...
Kayden Ross
I like how you think we're supposed to know who you and your chink friend named Chang are.
Ryder Moore
ETH
John Richardson
They're the biz_classic delegates...literally be here less than two days and you would know that.
Bentley Sanchez
>not knowing about HWNDU >not knowing about the biz_classic delegate
Jonathan Perry
Lurk more, newfag
Evan Clark
The problem is this extends past laziness.
Every coin that forked off LISK is vulnerable only because they didn't bother to check or fix their code either.
If one dev goes rogue he can kill the coin's price and even render the entire network unusable (because delegate keys are compromised too).
If ANY of the main servers EVER get hacked, it doesn't just become a "small website hack". It becomes a looting spree where everyone logging in would have their keys stolen.
There's a reason web wallets are unsafe and should never be used. In this case, the problem is two-fold because now not only are you susceptible to hacked javascript payloads, but the code to farm your keys is already there by default.
Bentley Richardson
So, as someone who has 10k RISE in bittrex, should I count my losses now and get the fuck out?
Grayson Reed
I think the question on all our minds is are you guys gonna go public with this?
We could actually organize a mass biz Exodus from those coins into a nice healthy ark pump.
Ryan Long
Personally, this type of negligence would lead me to stay far away from any of the three coins.
LISK is the biggest offender here.
RISE is releasing a s ecure desktop wallet that's a fork of ARK, which is safe to use.
You'll have to make your own read. Just make sure you never touch the web wallets until it's confirmed fixed, and don't touch anything claiming to be a "light" wallet from any of the 3 coins.
The problem comes in if a dev goes rogue later down the line after this is fixed and the delegates or whales haven't moved their coins. They may have those wallets and delegate keys forever. That's not a good look. It means any of the three coins could potentially die at any moment in the future due to an attack by a former dev or DNS hijacker.
Owen James
I'm not here to shill ARK. I was actually having some issues with the ARK community myself but mostly with the community managers (cannabanna in particular) and general hardcore ARK shills that refuse to listen to criticism.
Then I started investigating and it turns out ARK is the safest of the javascript based blockchains, which I had a nice laugh about.
ARK has a very specific purpose. If you're gambling on technology then ARK is bought because of smartbridge. If it's "javascript blockchains" you're gambling on, ARK is your coin.
I wouldn't make ARK my only hold. I hold a spread of the top 5 and ARK is my "shitcoin" pick because I think it might evolve out of its shitcoin status, especially after realizing their devs made the right choice with user security here. Though I do have more ARK then other coins except BTC/ETH.
Do your own research.
Logan Miller
bump
Caleb Sanchez
HOLY SHT ANS JUST ANNOUNCE THEIR PARTNERING WITH GEORGE SOROS 50BIL MARKET CAP HE IS INVESTING 100TRILLION DOLLARS CHECK IT OUT LIVE NOW
Where's that whale that shilled RISE here a few days ago?
Jace Price
...
Gavin Perez
hey
Levi Scott
He was doing it just yesterday, lmao
James Gray
We should spread this on reddit
Jace Brown
kek, Veeky Forums FUD never works
Blake Flores
>be dev >secretly store keys somewhere >quit on good terms >2 years later >move to country without extradition >steal all the LISK We don't even know if this plan isn't already being implemented.
Grayson Nguyen
Isn't this the guy who hacked eth?
Isaac Reed
lmao. Moon man really did trigger some fagets here
Kevin Collins
Pajeets in the wild
Austin James
Official developer response.
tl;dr They knew about it and that's part of the reason why they are switching to Ark-Hybrid.
Levi Walker
It doesn't matter that they knew because unless every single person changes their keys they'll still have them.
They're going to be forever vulnerable until they change their keys.
Idiots.
Blake Phillips
The old wallets don't matter anymore anyway, because it should all be on Bittrex. For the new wallets which are all empty too right now, they can issue a notice.
Rise is in a better position than Lisk or Shift at least.
Wyatt Sanders
are you telling me that my private key is in plain text in an http post request, with no encryption beyond basic https? wtf
i got some lisk at ~90k sats, its at 72k, not sure I want to sell at a loss, but I do think it's wise to get out at some point.
Jason Miller
>are you telling me that my private key is in plain text in an http post request, with no encryption beyond basic https? wtf Yes.
Up to you if you want to sell. Chances are only the devs received your keys but that doesn't make the situation any better.
Gabriel Cook
since im a crypto idiot, what is the usual way things are done? Suppose we take BTC, and I do a transaction, I'm assuming my prviate key is not included in any html?
Samuel Gutierrez
You create and sign the transaction locally with your private key. That signed transaction then gets sent out into the network. Your private key never leaves your computer.
Products like the Ledger Nano take it a step further where your keys are stored on the USB device itself and never even touch your computer. Your computer passes it a transaction to be signed, the ledger signs it, and gives it back to your computer to send out.
Samuel Reyes
does the network have a record of my private key, or how does it verify the signature on the transaction?
James Cox
>how does it verify the signature on the transaction Crypto magic.
That's the entire point of crypto. Only you hold the key. The network sees your signature is valid and can prove it belongs to your key without you ever giving your actual key, that's how public-private cryptography key pairs work.
In this scenario, you aren't the only one with your key, because the devs have everyone's key as well.
Henry Allen
Wow. Just wow Imagine having bittrex keys, you wouldn't even need any other wallet
Jonathan King
Holy duck6
Robert Rivera
Wtf is this shit. I own Lisk
Ethan Fisher
Okay, I can respect that. But don't people need to know about this?
Christian Cook
So the LISK dev is in the RISE slack answering questions. When asked why all the web wallets aren't secure, her response was "we were going to get rid of them but didn't yet...."
Asher Edwards
Covert Ark Shill
>b-but I'm on y-your side
MUH ARK
Jaxon Perry
you guys should become consultants, coinsultants such faggotry by devs is unforgivable and should be punished by spreading the truth, after all it's money we're talking here
Luke Jackson
I only have €30 worth of rise so it's not like I'm going to die if I lose it. Thanks for the info through
Ethan Barnes
OK, after speaking with the dev, we were wrong about one thing, and that's lisk-nano. It still contains the deprecated endpoints that are totally insecure (no clue why they aren't removed yet), but if you're using the end user desktop wallet, you're fine.
If you've ever used the insecure API or any web wallet at any point, your keys were transmitted. Hopefully the web wallets get removed ASAP and SHIFT/RISE are forced to release a proper working wallet.
Camden Hernandez
bumpo
Josiah Clark
I didn't like LISK from the moment I first saw their marketing. They give me a Kohny 2012 vibe.
Samuel Flores
So how do i make money out of all this?
Sebastian Evans
Yea they should become consultants alright, sultans of the con. I joke fellas, you guys are alright, you guys should do a weekly crypto vlog. I find it hard to believe they can be this stupid, its like they did it on purpose. >The problem is this extends past laziness. Or its something sinister, doesn't matter, it is all sorts of retarded that they're aware, doing nothing about it and giving half ass mickey mouse excuses. Get this to plebbit young fellas, the world needs to know.
Zachary Rogers
Exactly, that is why the lead dev went to ARK
Zachary Nguyen
Based Moonman hunting the cryptojews.
Jeremiah Martin
fudding arkies itt! dont listen to them cryptoniggers. lisk about to go to orbit and i cant wait to see the delicioys tears of bag hodle arkfags. lol nice try
Robert Howard
Shitting on those coins and shilling ARK as the safer alternative.
James Harris
Is NEM Nano Wallet secure?
Thomas Hughes
NO HE WAS "FIRED"!!!!!
>tfw NEET 4chanrs don't know that "dismissed" also means he resigned out of contract.
