Warning to users using third party applications - Be extremely careful providing your keys to anyone or any site!

in #security8 years ago (edited)

I recently posted two articles on how to use the SteemConnect tool to create new accounts on the Steem blockchain as well as how to delegate SP to another user. SteemConnect is an amazing tool, and I am extremely thankful to the Busy.org team for providing the community with these awesome features =)

@sneak (Employee of Steemit, Inc.) commented on one of the posts with a warning. I am very thankful that he did, because I did not include sufficient warning in my posts for users to be extremely cautious when providing their active key to another site. I took for granted that the Busy.org team is a highly trusted group of people, and it did not even occur to me to warn people.

Let me make this clear, I am not saying that users shouldn't trust their keys with Busy.org and the SteemConnect tool. Personally, I have used their tool and will continue to do so. It is not without risk though - I am opening up my account to the possibility of being hacked. Users need to be aware of the risks and decide for themselves what is appropriate to do with their keys, and who (if anyone) to trust them with.

Here is some advise on managing the security of your keys:

  1. First of all, if you have not already saved and backed up your account password (owner key) somewhere safe, where it would not be destroyed in the event of a hard drive crash or fire - DO IT NOW. There truly is no way to get into your account and access your funds if your key is lost. Any money that you have in your account would be gone forever. You need to save this key.
  2. If you still have not saved and backed up your password, please stop reading this post and do not continue reading it until your password is safely backed up. (Seriously)
  3. Never, under any circumstances, give your owner key to any other person or third party website unless you trust them with your life. Anyone who has access to your owner key would be able to steal your entire account and everything in it. There really should never be a reason to do this unless you want someone you fully trust to have access to your account in case something happened to you or your keys. Even then, it is questionable.
  4. Be extremely careful with providing your active key to any other person or third party website. Anyone with access to this key can basically do whatever they want with your account, including stealing all of your money. You could still recover the account with your owner key, but any money they were able to transfer out would be gone. You should really trust anyone or any website that you are providing this key to. You are essentially giving them full access to your account. If you wouldn't trust them will full access to your account, then don't give them your active key.
  5. You should also be very careful when providing your posting key to any other person or third party website. Even though they would not be able to take any of your money, they can still use your voting power, post things on your behalf, and act as you on the blockchain.
  6. Even if you trust a person or website with your key(s), you also must trust the security measures they have in place to protect your key(s). If they get hacked and your key(s) gets stolen, then the hacker will be able to do whatever they want with your key(s).
  7. Do not use a key with higher authority than what you need. Example, if you are just logging in to post, vote, and comment - do not use your active or owner key. Use your posting key. If you are transferring funds, do not use your owner key. Use your active key.
  8. If you have provided any of your keys to a person or third party website that you do not fully trust, it is recommended that you change your password here: https://steemit.com/change_password. This process will generate new keys for your account. Before you click the button to change your password, be sure to save and backup your new key. Please re-read points #1 and 2.

The bottom line is this - if you provide any of your keys to another person or third party website, you are giving them full access to do whatever those keys are allowed to do. If you do not trust them with the authority that the keys grant them, and their ability to protect them from getting hacked/stolen then do not provide them with the keys.

Sort:  

Be extremely careful with providing your active key to any other person or third party website. Anyone with access to this key can basically do whatever they want with your account, including stealing all of your money. You could still recover the account with your owner key, but any money they were able to transfer out would be gone. You should really trust anyone or any website that you are providing this key to. You are essentially giving them full access to your account. If you wouldn't trust them will full access to your account, then don't give them your active key.

It's not just trust in the service to not steal; it must also be trust in their ability to fend off a server or credential compromise.

I could trust the busy guys 100%, but if they get hacked through no fault of their own, any keys I provide to their site are just as stolen (by whomever hacked their server, in this hypothetical scenario).

You can't be too cautious here.

Can we start using local clients yet?

Thanks @sneak - great point! Post updated.

I don't mind giving out my posting key to an app.

My active key, well... only to the site I use to post steemit articles to...

My owner key, that's in safe keeping. I never give that to anyone. If I had to really use it, I think I'd rather run steemd and sync to the blockchain myself.

@timcliff and @sneak i am having a problem with exactly this issue.

I gave my active wif to streemian yesterday, before i really understood how powerful it was. Streemian misrepresented and said they could not acces funds with it.

Now i want to rescind all of the permissions but i have reset my master password twice - and checked to make sure it also reset my active wif, BUT STREEMIAN STILL HAS THE SAME PERMISSIONS.

I don't understand what's happening and all efforts to contact streemian and @xeroc, with no responses. Streemians permissions removal app is not working.

There must be some way for me to remove wif permissions, but i dont know what to do.

More details here: https://steemit.com/steemit/@dber/need-help-i-think-streemian-is-procuring-active-wifs-from-new-users-under-false-pretenses-2017616t93220644z

It looks like you actually setup new keys for these services to use. You did it with two different services. At least based on what it shows there it does look like it is posting authority only, but I have no way of knowing if you gave them access to owner authority as well.

You should ask for help in the #streemian channel of Steemit chat. There should be users there who can walk you through the process of removing their authority from your account.

IMG_0149.PNG

Thank you so much for responding - this issue is coming up hard against my slowly receding ignorance. How dod you see this information? Through cli wallet?

Also i definitely didnt give them the master password - and i have definitely changed the active wif twice now - is there any way they could still have owners permission after that?

Also, checked out the #streemian chatroom and there are a few people asking to leave and no answers from streemian.

Steemd.com/@accountname. I doubt it, but I cannot say for 100% since I don't know what was actually shared/done.

I gave streemian my username and my active wif.

Then I changed my master password twice.

That's the extent of it.

But the chatroom has no responses from streemian people and @xeroc is not responsive, and the emails to streemian are not returned in about 48 hours.

The fact that they request the active key at all, in hindsight, seems unecessary. That they says right above that that they cannot access your money, even though you've given them the active strikes me fundamentally false... though perhaps I'm missing something.

As far as I know you should be good if you shared your active key, and after that you changed your passwords and confirmed that your old active key no longer works.

Hmm - I definitely changed my passwords, but I didn't have the old active key written down.

I went through and found the actual transaction and update notice from streemian:

streemian.png

Then found only one other update:

update 2.png
That's all I can see as far as updates go, and neither seem to add any authority to the active or owner slot. This doesn't alleviate my concerns that they are collecting active keys, but if I changed my active key twice, that original should no longer be useful if I'm understanding correctly.

Hey, if you would like to revoke posting authority you can use this page: https://v2.steemconnect.com/revoke/@streemian Let me know if that worked for you.

Hi, thanks for link, how to confirm was it successful revoking?

thanks a lot! ive spent 2 hours trying to do this lol

good information to have on hand

Like you said, people should be aware of the risks involved and know what they are exposing themselves to. In the cyber world, nothing is completely secure and having your keys in the possession of another definitely brings risks.

I think you've thoroughly explained to people the risks involved with using third party software and anyone who reads this will know how to secure themselves against such risks and also know what they're getting into by using third parties.

At the end of the day, it's a personal choice, but educated decisions are always better. Thanks for sharing!

P.S. I don't use third parties... I even find it hard to trust my browsers! I'm just paranoid like that :)

Another thing to be cautious of is using Chrome Extensions that interact with Steemit.com. Because the keys we use are on the DOM then an extension could get that information if it was designed to do so. I am not saying they are bad and in fact I made one here. Just use caution.

However, this idea is not something new. Any software that you install on your computer has the ability to get certain information. An example would be software like 1Password Technically you have given them all your passwords to store for you and there is nothing stopping them from using any one of them. It comes down to trust and just being aware.

Just think and research before you do anything. Make sure it is an informed decision.

It's good to raise awareness about this as there are people who do not realize the exposure they are taking on. I'm ok with sharing posting key with busy.org as I have faith in ya'll, but haven't shared my p/w info anywhere else.

I believe the SteemConnect tool stresses that your active key is not actually given to them and never leaves your browser, though I could be wrong. I also don't have the tech chops to verify this claim but I'd hope someone with a security background could do so by reviewing the application.
SteemConnect is attempting to be the trusted authentication tool to avoid having to give your keys to any sites that are built on the Steem blockchain, and we definitely need something like it.

I've been developing SteemConnect2 tool and I can confirm that WIF or password never leave user browser. Password is directly turned to WIF and just used a single time to create a signature for broadcast an operation. The code is open source and can be reviewed here: https://github.com/adcpm/sc2. At the current stage it still require you to trust Busy team and that our server not get corrupted. We are working with Steemit inc to address these concerns with code reviews and official hosting.

The fact that it doesn't leave your browser is not something that you can rely on. If they get compromised, it doesn't matter whether it goes to the server or not - the same code that keeps it in the browser today comes from that server.

In event of a compromise, it could just serve you code that uploads your keys. How it works today is irrelevant to the security model.

PS: we are actively working on SteemConnect 2 to address this issue of risk and trust.

Wouldn't a local browser solve everything?

Yes, I have heard something along those lines too - thank you for pointing that out. That is why I do still trust it. No matter how much is done though, there is still some level of trust that when you click the button the tool is behaving the way we expect it to. You can never be too careful they say :)

I had no idea people were even sharing keys, seems like just common sense that you shouldn't do that. In the world of cryptos, even well established companies with a good rep have ripped people off, keep private wallet keys for your eyes only when using anything to do with cryptos.

@purpleprose ::))) same here , when I read this I was like "" huh ? " because to me that would be like given out your pin number to your Debit card . but Each to there own ::))

The pin and the card to your mother, so she can pick you up something. At the end of the day it is someone you trust.

Like cryptsy and mt. gox?

They are not family, they are businesses that are profitable now, but may not be in the future. Experience has shown us that a lot of crypto companies exit scam when they run into trouble. Do we really need to keep learning this lesson?

Btw I'm not accusing anyone of anything, it's just bad security to share private keys or even to keep too much money in trusted places like Coinbase or Poloniex.

Loading...

Thanks so much for your advise.

One question: if I generate a new password and update it, does it means that all my keys including owner, posting, active etc will be changed?

I had given my private key to someone when I was yet to know how important is these keys.

Yes.