You are viewing a single comment's thread from:
RE: A hole in the Blockchain: Steemconnect? (Please take the time it is important)
I think the problem is that there are currently no ways to distinguish the difference between you or the approvee ... it is as if you yourself instigated the transaction ... it would take a modification of the steemcode i suppose to add hooks or flags to see if the post is 'on behalf of'
yes, well HF20 isn't done yet.
fair point. Let's hope this get's noticed. the more holes that get plugged over time the better.
Hi @eqko, this is not fully correct. steemconnect has posting authority on the account, but they use their key to sign transactions containing actions in your name. From this signature you still know if the operation was signed by your or by steemconnects private key.
The problem in this case is that steemconnect itself has posting authority on the app accounts authorized by the app users and they uses the steemconnect key to sign transactions. So you know that it came via steemconnect, but you can't tell for sure from the blockchain data which of the 3rd party steemconnect apps it was.
and where would you see this signature key ? I assume it’s in the transaction. How would you cross reference the signing key with the owner ?
the fact that it would be probably to’ve been signed by steemconnect instead of the user would already go a long way I suppose
This is the transaction from the example here:
https://steemd.com/tx/4ca0e947aaf443ef604c268ecb0c16d9630352c0
You can see a line "signatures" with a lengthy string. By feeding the this whole operation including the signature as a JSON string in for examples steem-python's transactions.verify() together with your public key, you'll know if it was you.
So it's all pretty technical and not easily visible , but at least it's there :/
Ok that sounds at least like it’s traceable and therefor (as OP was looking for) probably that at least it wasn’t himself that instigated the follow transaction.
yes, it wasn't him, it was signed by steemconnects private posting key.