More Success Stories with the Claude Subscription to HIVE related Projects and their Security

Hey everyone,

Here’s a quick update on my work regarding the Claude Max Subscription funded by the DHF and what I’ve been able to accomplish over the past few days.
The deal was that I would use my expertise in security surrounding the Hive blockchain to make the Hive ecosystem even more secure than it already is.

Over the past few days, I’ve been hard at work, spending several hours reading security audits and conducting proof-of-concept tests, which allowed me to identify and exploit several security vulnerabilities in the Hive ecosystem once again and report them to the responsible project owners. For example, I found several security vulnerabilities in a Hive blogging frontend—which rendered Twitter/X posts or Reddit posts—using a specially crafted payload that I simply published as an article. Just by hovering over an embed in an article, I was able to exploit a cross-site scripting (XSS) vulnerability and execute JavaScript code. The other vulnerability I reported was a specific CSS injection payload that allowed me to place a webhook endpoint; thus, whenever a post or comment was accessed, the payload triggered, and sent the IP address, location data, and—if available—keys from LocalStorage to a web server of my choice. I reported these two serious vulnerabilities immediately after discovering them to the developer and code/blockchain wizard Hive account@gandalf / Hive account@gtg, who addressed the issues that very same night, made code adjustments to the frontend, and consequently fixed the vulnerabilities within a few hours. A huge thank you goes out to Gandalf! A true hero!

To that end, I found publicly accessible API keys today in a project that has been on HIVE for quite some time; they’ve likely been there for a while but were still valid. Using these keys, I was able to make specific API calls through the API provider to various blockchains, with each call using such a private API key costing varying amounts of credits. If this were to be automated, two things could happen: A) the monthly available credits would be used up, and the payment method on the provider's account would be charged, potentially resulting in financial loss, or B) If the API call limits are exhausted, the project would likely have no way to make further API calls to the various blockchains, which would effectively halt its operations.

Since both scenarios would result in financial loss, I decided to report these leaked API keys to the project developer. Thanks to my previous work as an independent security consultant, I am already well known within the company, and they know that I handle such sensitive information with the utmost care and professionalism. In the past, I have successfully reported many security vulnerabilities and bugs to the company.

Those were just two of the many projects I’ve reviewed and reported security risks for. If you like my work, I’d appreciate a witness vote (link in the footer) for my witness louis.witness

Thanks, and stay safe!
louis