[EOSIO/eos] Is someone scraping keys? (#3626)

That API reveals all private keys kept in the wallet.

The wallet_plugin as used by both nodeos and keosd exists entirely for testing purposes, and is not secure by default. There was an expectation that existing community wallets would develop support for EOS.IO keys that doesn’t seem to have come to fruition quite yet. The shortcomings of the wallet_plugin are being addressed in #3596 and #3598.

The EOS.IO software comes with some default keys preloaded, and the tutorials are all written with those default keys in mind, along with ephemeral keys generated as part of the instructions. People experimenting with the software should be using those keys and should NOT be loading their ICO registered keys into Internet-exposed keosd instances or nodeos instances running wallet_plugin. Anyone who has done so should reregister with new keys that have not been potentially exposed.

Добавить комментарий