Dear Steemians,
I have found an exploit that enables a malicious person to create an army of fake accounts that can be used to upvote any posts that person makes, earning him hundreds if not thousands of dollars! If we want Steem to survive then this exploit should be addressed as soon as possible! This is how the exploit works.
First you create a temporary Email at a website like http://www.throwawaymail.com/en or https://10minutemail.com/10MinuteMail/index.html?dswid=-8738
These websites allow you to quickly make a disposable Email address that can be used to receive the steem account activation link on. Once you have activated the Steem account the temporary Email address will be deleted within a few minutes to 48 hours (depending on which website you use).
After the account activation you have to verify the account with your cellphone number. You get a security SMS sent to your phone and you need to use that to verify your account. One may think that this dissuades anyone from trying to make multiple accounts for upvoting. However, One does not need to own hundreds of cellphone numbers in order to make multiple steem accounts.
There are actually websites that allow you to use hundreds of different cellphone numbers for free. You can use those numbers to receive verification SMS messages on. Those messages then appear on the website or are emailed to you. There are atleast 2 websites that enable you to do this. The first one is https://smsreceivefree.com/ and the second one is https://tempophone.com/ . The first one alone holds 60 telephone numbers that can be used to receive free SMS messages on. Furthermore, these 60 telephone numbers get replaced by completely new telephone numbers after every month passes! This means a hacker could make an army of 760 upvoting “followers” in just 12 months using this website alone! Like I said there are more websites like these so the actual numbers of fake accounts could be much higher then this. This exploit has the potential to decrease the price of steem dramatically because it will drain the system by sending rewards to those who do not deserve to be rewarded (because they are basically upvoting themselves).
The creators of STEEM can take the following measures to prevent this exploit from being used (again).
- Blacklist all phonenumbers that appear on websites like smsreceivefree.com and ban anyone who is trying to sign up with one of these phone numbers.
- Make two factor authorization (2FA) a mandatory login procedure. If people have to use the same phonenumber over and over again to login then there is no longer an incentive to use disposable phone numbers.
People might already have used this exploit in the past. If this is the case then these people and their fake accounts should be flushed out of the system as soon as possible because they are destabilizing the Steem community. I recommend the following measures to be taken against these people:
- Resend verification codes to all registered phonenumbers and tell people that they should again verify their accounts with the codes sent. Anyone who fails to do so in 48 hours has either something to hide or is simply no longer using the steem community. People who used disposable phone numbers probably won’t be able to re-verify because the phonenumber they used is no longer available. So they’ll be identified very easily.
- Resend an activation link to all the Email accounts used to open a steem account. If people used a temporary/disposable E-mail address, then they won’t be able to click on the activationlink sent. Accounts that are not verified by activation link should be disabled.
Please upvote and resteem this post so that the people may know about the existence of this exploit and action can be taken as soon as possible. Only together we can make a stronger Steem community!
EDIT: its already happening https://bitcointalk.org/index.php?topic=1990048.0
This guy has made a bot that does the exact same thing i'm describing in this article. Steemit is doomed.
Yours truly,
Codix