Another successful day for security in the HIVE ecosystem (Only a Dead Bug, is a Good Bug!)
I gonna call it day. But...
...in this blog post, I’d like to look back on the work I’ve done today – partly as a summary for myself, but also to show you all what I’ve managed to accomplish today!
It’s now 10:30 p.m., and I started my work researching security vulnerabilities in the HIVE ecosystem around midday. First, I went through a few audits from last week to see if I’d missed anything, and I had something in mind that I’d been wanting to test for a long time. Namely, Witnesses can include a description along with their parameters for the blockchain, as well as a URL for their Witness announcement post or whatever—most use their profile or their project. And that’s exactly where I wanted to start and see what might happen—and yes, something did happen.
I started by using my brother’s witness and entered various XSS payloads as URLs... from standard javascript:// to frontend-specific variables, I tried out about 50 different payloads and have to say—sure enough, the frontends I tested all passed with no significant errors! But I couldn’t just let that slide because there had to be something there—so I took my Claude subscription, threw everything I’d done so far out the window, and ran the AI through a bunch of different repos—because that’s the kind of work an AI can handle well. In the end, something interesting came out of it—namely, a pretty silly and simple error... In that very field, I could enter something specific and completely crash at least one frontend. The server behind it just said—Sorry, dude—something’s wrong here and threw me a 500 error. That was immediate confirmation for me, so I told the developer right away what was going on. He saw the problem right away and got to work on a fix. Less than 20 minutes later, the error was fixed and we were both happy :)
But the day didn’t end there—since I don’t give up easily and, thanks to my years of experience, now know what matters when it comes to HIVE—I was able to use AI to identify additional vulnerabilities in HIVE frontends over the course of three cycles. In one of the vulnerabilities I found, the title wasn’t properly sanitized, making a stored XSS attack possible. The site operator fixed this immediately after I reported it.
I really don’t give up and keep going until I get tired or it no longer makes sense to pursue the goal—so I kept at it and found more stored XSS bugs—this time in an area I hadn’t really been focusing on, but which might still be used sometimes, and areas like that should be tested too. In this case, it was about looking at the history of a blog post and comparing two versions. I reported it, and it was fixed right away. Perfect! I think I did a good job today (at least from my perspective) and made the Hive ecosystem a little bit more secure—even more secure than it already is!
That’s all from me for today—and for those wondering why I’ve already published five articles today: these are blog posts linked to a product on PeakD. You can support me and my work there every month by visiting my shop at @louis88/shop" target="_blank" rel="noopener noreferrer">https://peakd.com/@louis88/shop. But only if you like what I’m doing for the HIVE blockchain.
And for those wondering why Inleo’s Rafiki AI bot is so fascinated by the Flat Earth theory—well, that’s probably a topic for another episode titled “Security in the Hive Ecosystem with Louis and the Friendly AI Next Door” (who’s always happy to drop by for coffee).
Well, with that in mind—see you next time, and sorry for all the spam today.
Cya
