I’m on Stable Droplet Test Network and I’ve only created the website http://pliwallet.safenet/
But I totally got no clue, who created the others and how somebody else could do that. No I haven’t share my credentials. Another thing that’s strange, is none of the publicID’s are pliwallet marked or it’s subdomains, they seem to have their own publicID’s with identical subdomains.
You must have visited safeshare and uploaded material under the same account as you used to create pliwallet.
As a workaround until structured data is available, Safeshare creates a name and a service for each file you upload. My implementation of the workaround is quite dirty and hacky, as you get to find all the folders visible in your files under weird names.
I suppose I should at least have it create a “safenet-uploads” folder and store the stuff in there.
I’ll try to do that in the next version, please apologize for the mess and concerns that it may have created.
At least I hope you can feel reassured, as you did not be hacked.
Yeah I did upload a few files to safeshare, I don’t mind that this happened, but it could be a way for hackers (crackers) to direct people to websites and do some hacky (wacky) stuff like:
Let the users download malware
Steal the users credentials and flee into the night with their SAFEcoins
This reminds me of a email with attachments, curious people will always click to see the attachment. Although the attachment can’t do anything on the SAFE Network, it can do damage on a users computer. Today I was wonder: what if your browser not longer download stuff, but you could just run whatever in your browser, because it’s just a OS running on the SAFE Network?
Hmmmm I would call it a hack if something happens, that you as user don’t control on your demo app. It’s all good, because this shows somethings that are possible.
I create a web app that looks cool , people go there, grant the app rights with leheir launcher and use it happily. Behind the curtains, the application creates services and files on the user account. ( this is exactly what safeshare does now ). In the safeshare case, these are simply your files so, no harm. But the app could put anything in here, and people would visit the files from their demo app or future safe file manager, and open malicious stuff.
For instance one could easily create a fake alert that looks very much like a launcher window, that asks to enter credentials again, pretexting whatever reason. If people are curious like you said about attachements, they trigger the trtap window, enter credentials again and bam, they are doomed.
I suppose the only way to prevent that is to check the code before visiting the web app, and do not authorise the app if you are not sure what it does.
As soon as you grand an app rights from the launcher, you open them the door to your files.
Funny enough just yesterday I was admiring how it’s possible to check the source code of Ethereum apps. Like so:
It would be fun if this was also possible in the SAFE Launcher, but we all know that normal people will never read sourcecodes let alone fully understand it.
We already got a solution, that makes it possible for users not to enter credentials. SQRL is just scan the QR code and your logged in, this just makes it extremely difficult for crackers to fool the users to login with credentials.
Another way to fight this from happening is 2FA, with 30 sec login interval (please no sending of text, because phonenumber can be spoofed), this would mean that the cracker would also have to hack the users phone.
If SAFEcoins are not protected with bank security, we’re all doomed
I use firefox’s ‘save webpage’ function all the time. The only thing that would be difficult is parsing the HTML file and finding what scripts are called from the server. JavaScript is ever-pervasive.
