Responsible Security Vulnerability Report: Critical Exposure of Private Keys and Seed Phrases via Keystore Session Hijacking (Inleo)

Introduction & Background to the Security Audit (March 2024)

This report is part of a comprehensive documentation on the responsible disclosure of security findings on the Inleo platform. The vulnerabilities described here were identified around March 2024 and immediately reported to the development team.

Purpose of the Documentation
The goal of this audit is to provide transparency regarding past risks and to ensure the continuous improvement of the platform’s integrity. In the world of Web3 technologies, a proactive culture of accountability is essential to securing the community’s trust in the long term.

Risk Assessment and All-Clear
Although the identified vulnerabilities theoretically posed a risk to sensitive user data and cryptographic keys, an objective assessment of the situation is crucial:

• No Evidence of Exploitation: Based on current information and thorough investigation, there is no indication that these or other vulnerabilities reported during this period were actively exploited by third parties.
• Data security: There is no evidence that user information, private keys, or other sensitive data has been leaked to unauthorized third parties.
• Preventive measures: The prompt reporting and subsequent rapid implementation of security fixes by the Inleo team effectively closed the window of opportunity for potential attacks before any damage could occur.

Conclusion
These reports serve to document and provide evidence of a successful collaboration between independent security researchers and platform operators. They underscore the shared goal of making Inleo one of the most secure gateways in the Hive ecosystem.

---

Report Date: May 2024
Researcher: louis88
Status: Resolved
Severity: Critical (Emergency)

Introduction & Audit Context

This report is part of a series of Responsible Disclosure documents regarding security audits conducted on the InLeo platform around May 2024. This documentation is provided to ensure transparency regarding past vulnerabilities and to highlight the successful remediation efforts that have since secured the platform.

Reassurance & Data Integrity Statement
While the vulnerability described below presented a significant theoretical risk to user assets, it is important to emphasize the following:

• No Evidence of Abuse: There is currently no evidence or indication that this specific vulnerability was exploited by any malicious third party.
• No Data Leakage: To the best of our knowledge, no user information, private keys, or seed phrases were exfiltrated or leaked to unauthorized entities.
• Proactive Resolution: The vulnerability was identified, reported, and patched immediately by the InLeo development team, closing the risk window before any damage could occur.

Summary

A critical vulnerability was discovered involving the Keystore Login Feature. When users authenticated using this feature, their entire Keystore—including all private keys and seed phrases—was stored within the session JWT (JSON Web Token) on the inleo.io domain. Due to the ability to upload HTML files to the img.inleo.io subdomain (as documented in previous reports), a malicious actor could host a script that extracted this JWT, decrypted/decoded it, and exposed the plaintext keys of any user who visited the malicious link.

Technical Analysis

The Keystore Vulnerability
The "Keystore" was designed to provide a seamless user experience by managing Hive keys. However, the implementation at the time involved placing the Keystore's sensitive contents into the browser's session storage/cookies.

The Exploit Vector: Subdomain Cookie Access
Because the __session cookie was scoped to the parent domain (.inleo.io), it was accessible to any page running on a subdomain, including the image server (img.inleo.io).

Proof of Concept (PoC)
JWT Extraction: An HTML file uploaded to the image server could programmatically read the session cookie.

Decryption/Decoding: Although the JWT was encrypted/obfuscated, the researcher developed a script included in the PoC that successfully bypassed this protection, converting the session data back into plaintext.

Data Exposure: Once decrypted, the script provided full access to:

• The Hive Posting Key.
• The Hive Active Key.
• The Hive Owner Key.
• The Master Seed Phrase (Mnemonic).
  
  

Impact Assessment

Severity: Critical

The potential impact was the highest possible for a blockchain-based platform:

Total Loss of Funds: Access to the Active Key and Seed Phrase would allow an attacker to drain all liquid assets and staked tokens (Power Down).

Irrecoverable Account Loss: Access to the Owner Key or Seed Phrase would allow an attacker to change the account's keys permanently, locking the original user out forever.

Platform-Wide Risk: Any user utilizing the Keystore feature was potentially at risk if they interacted with a malicious thread or image link.

Conclusion

The discovery of this flaw was a pivotal moment for the platform's security evolution. The rapid and decisive action taken by the InLeo team turned a potential catastrophe into a major security upgrade. This report serves as a testament to the importance of the "Security-First" approach and the value of independent security research in the Hive ecosystem.

Huge Shoutout to @mahdiyari with Investigation and Public awareness. Part of this Vuln-Research & Report were not possible without his incredible work.