Beware of Fake "Private" Transactions
03 August 2018
UPDATE: The Snake Oil server run by Jelurida has now been turned off, since it has fulfilled its purpose. Instead, we have published the complete list of "private" Apollo transactions up until now (April 3, 2019), and an updated response to all recent Apollo claims and accusations. The article below remains unchanged, as a historical document.
Jelurida is always keeping an eye on how our blockchain technology is being used. Recently, our attention was drawn to the impressive claims of an Nxt clone called Apollo that they have added a "private transactions" feature to their Nxt clone.
After a close examination of the Apollo software, we feel it is necessary to issue a public warning, in order to prevent Nxt users who have accounts on the Apollo blockchain from being misled that the Apollo private transaction feature actually works, and wrongly assume that their transactions cannot be seen by others. The reality is that all transactions on their blockchain, regardless of being labeled private or not, are easily accessible to anyone who downloads the Apollo blockchain, now, and forever in the future, due to the immutable nature of the blockchain.
To demonstrate the lack of privacy on the Apollo blockchain, we present to you our Project Snake Oil:
This "Snake Oil" project is a modified version of the Nxt Blockchain Creation Kit Software, adapted to connect to the Apollo blockchain and display all transactions from it, ignoring any misleading "private" flags. The purpose of this project is to reveal that there is nothing private in the so-called "private" Apollo transactions, since they are propagated over the network in clear text, stored in the database in clear text, and handled in the server memory again in clear text. The blockchain being an immutable ledger, these "private" transactions are stored in it forever, and anyone can extract them from it, now or in the future, as hereby demonstrated. As an example, some accounts with a high number of such "private" transactions are: APL-MSNQ-PKNR-T2WE-GPV7T , APL-T4Z7-X4KU-NBL8-DN4PP , APL-XYFQ-2JD7-H5M3-54HGR , APL-NZKH-MZRE-2CTT-98NPZ . Logging in using those, or using any other account, will reveal in full all payment transactions of each account, without need for knowing its password. Compare the differences with the transaction lists shown in the official Apollo web wallet, which creates an illusion of privacy by skipping the "private" transactions. The encryption that the server uses to only reveal the transaction content to those knowing the passphrase is a vanity feature, which is simply useless in a decentralized network (i.e. a blockchain) where every participant is running a full node already having access to all data in clear text.
For example, here is what the Apollo wallet shows for account APL-MSNQ-PKNR-T2WE-GPV7T:
And here is the full transaction history, as available in clear text on the blockchain:
The Apollo wallet asks the user to enter a password in order to reveal the "private" transactions, but in reality they are all there, visible to anyone. Incompetent developers, or something else?