It’s been just three days since I received and started the Max Claude subscription (yes, paid for by DHF—thanks a lot for that, too). My progress so far is already pretty impressive... So far, I’ve looked through around 19 projects running on Hive, as well as the legacy chain... What do I mean by “looked through”... My current tech stack consists of a virtual machine on my home server running Kali Linux (penetration testing software) and a Win11 virtual machine running in parallel. Since these are just virtual machines, I have no concerns about giving Claude full access so he can unleash his full potential.
This works especially well on my Kali Linux machine, since Kali Linux comes pre-installed with hundreds of different penetration testing and security testing tools, and because I run Claude on that machine, he can naturally use all of those applications as well. Most often, though, I pull a repository from GitHub and run Claude over it using my security audit skills so that I end up with a clean report. A report usually takes about 15 to 30 minutes to run, depending on the project’s complexity. Then comes the actual work—in most cases, I focus on critical and high-severity vulnerabilities—I read the report and try to understand whether this could pose a real problem within the HIVE ecosystem. Of course, I’m not a high-end developer who masters dozens of programming languages, but after 8 years of experience identifying issues, security vulnerabilities, and collaborating on the Hive blockchain, I think I’m pretty good at assessing whether a reported security vulnerability poses a serious problem.
Here’s a practical example from yesterday—I took a closer look at our Actifit project and found quite a few issues. For at least three errors and problems, I was able to determine and confirm that the critical security vulnerabilities I found actually existed. Of course, I tested them myself and was, unfortunately, quite alarmed. The vulnerabilities have since been fixed, so I can now write about them. One was a classic XSS (Cross-Site Scripting) vulnerability—one of my favorite vulnerabilities to test and report, since it’s very obvious and can therefore cause significant damage. I was able to insert code at a specific point in a blog post that would display the session code as an alert. That was just a demonstration, but XSS can be very dangerous.
Mistakes like this can happen from time to time. As I just mentioned, this is my favorite security vulnerability, and unfortunately, it has been found in various forms in other Hive-related projects in the past. I found a particularly large number of them in the past with Inleo and Leofinance, and of course, these were reported—even though the owner himself (unfortunately) didn’t know what to do with them and couldn’t assess the extent of the danger to users. Furthermore, with Actifit, I was able to find credentials—specifically, access tokens—that were freely available and visible to anyone. If you looked in a specific location, you could find access tokens for, e.g., Deepl Translator, Google Gemini (Paid) Subscription, and other internally used keys for executing transactions and credits—with such authorization, I was able to, with just a single command in the console, write something to the wallet on HIVE regardless of the account, and redirect the links for further details of a transaction—which normally lead to a HIVE post—to a website of my choosing (potentially malicious). In this example, I simply chose x.com.
Those were actually the biggest bugs I found. And it’s all thanks to the DHF’s Claude Subscription. A big thank you goes out to the Actifit team, who responded very quickly—they were very cooperative and understanding in identifying the bugs and the security audit, and didn’t hesitate to fix the issues in the software as soon as possible. Unfortunately, I sometimes encounter a lot of lack of understanding regarding my work on other projects, and it takes developers months to fix critical vulnerabilities. (Cough... Leo)... So, hats off to the Actifit team and good job!
What’s next? Well, I have quite a few audits lined up—especially audits of Steemit.com and Signup.Steemit.com, where the accounts are created... And the initial results are simply shocking. Anyway—that’s all for today. Thanks for your attention and support. And if you like my work, feel free to vote for my witness at louis.witness (currently ranked 29th)—it really helps.
See you soon!