You are viewing a single comment's thread from:

RE: NobleBot Is Introducing A New Tool

in #steem7 years ago

Hey @noblebot, this is a great initiative, however I think technically it should be solved differently, as partly already pointed out by @abh12345. People needing this service entered their key or password at a point where they shouldn't have. A "do not worry, I am a good bot!" should not be an intention to enter an active key to a heroku intance. Never ever. Not even for the "good guys". Additionally, the user provided active key is sent to the server, there is no transparency on what's happending in the background. Don't do this.
Also the active key may not be enough in some situations. Imagine an additional active authority with weight and threshold > 1.

How about this: Use the page to list all "issues" with an account and provide a steemconnect link for each of them to remove it. This does not need a single key on your page.

Sort:  

Hi @crokkon, I understand all of your concerns. I also advise nobody to trust a website with their private keys unless it is offered by Steemit Inc.

I can do SteemConnect for withdraw vesting routes, and removal of posting authority. But that won't be enough because with active and/or owner authority those can be re-added in a matter of seconds.

I just want to help the victim of hacking/scam to reset their account authorities as I failed to help them the first time when they posted their key. I know it not wise to trust a dude on the Internet but I am doing whatever I can. I do not keep logs of usage, not even errors.

Looks like my hands are tied at least for now but thank you for commenting.

Screenshot from 2018-07-08 12-05-09.png

Hi @noblebot, I just found out SteemConnect actively doesn't want to support account update operations: https://github.com/steemit/steemconnect/issues/206
So you're right, using SteemConnect for these goals will not work :/
You could maybe do it all on client side with steem-js. This way the key wouldn't have to be sent to the server and anybody (at least those tech-savvy enough...) could see what's happening in the source code?

Hi @crokkon, thank you for the suggestion. Though the code is very easy to write, but I do not want to share it publicly as anybody with very little technical knowledge can change 2-3 lines of the code and make a phishing site out of it and run from a free hosting provider.

But if you or anybody trusted by the community want to check the code, I am willing to share. :)