A hole in the Blockchain: Steemconnect? (Please take the time it is important)

in #steemit7 years ago

steemconnect.PNG

Ok, this morning when I wrote the post about @dlive Force Following and pushing content, I didn't think through all of the potential ramifications of this. Now that I have had more of a think inspired by @personz comments an hour or so ago, I have to write this post.

Have you corroborated this with anyone else? And can you post more "proof"? This on it's own doesn't stand up as conclusive. @personz

No, I have no proof, can anyone find it for me? This is the blockchain, all the information for every transaction must be there. I have this from steemdb:

The only ones in there that are mine are those following the musician @benleemusic and @exyle's mum, @clio.

If someone with some blockchain exploring skills (@paulag or @miniature-tiger perhaps) is able to trace the actual blockchain transactions that would be great.

Now, as annoying as the force follow is, that is not the problem at all. The problem is that there is no way to indicate that the action and subsequent transaction isn't made by me as far as I am able to tell. This is a massive, gaping hole on an immutable blockchain.

Do you check every transaction recorded to ensure that it was actually made by you? Does @ned and @dan? Have they signed into Steemconnect anywhere?

Are you seeing the problem yet?

If there is no way for the transaction to be traced to the real transactor (@dlive in this case), that means that the it is attributed to me and I have no way to prove otherwise. I haven't been hacked, I haven't lost my keys, all I did was to use Steemconnect to sign in to a service.

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise. What happens if they do not like me, what happens if someone pays them to plant something somewhere on an obscure post, what happens if I was a politician or celebrity?

I like conspiracy theories so let's create a quick scenario worthy of @v4vapid.

I am a young politician running for office and have a Steem account. I sign into @dlive to deliver some speeches for my fans. @dlive can now follow whoever they like and post as me. Someone running against me decides to skew the game. They create a few alts, set up some very questionable material in an obscure corner of the blockchain and pay @dlive to post under my name. With the flood of campaing actions I am making, will I notice? Perhaps they will introduce a few confessions, upload a few inappropriate images. At this point, they can either leak it to the press or use it to blackmail me. How can I fight it on an IMMUTABLE blockchain?

Blockchain technology is supposed to protect us from this possibility, it is meant to save us from fake news and false information. It cannot do that if I can't even prove if the transactions on the blockchain are mine or not.

From what I understand, @dlive has been pretty quiet about this so far and it is a closed project (with a massive Steemit delegation). How I see the options going forward:

  1. Introduce a marker to Steemconnect ASAP and cross fingers
  2. Shut down Steemconnect ASAP until the marker is created

This is a gaping hole in my opinion (if there really is no way to track it) and MUST be treated as such and with speed and decisiveness. With the amount of poor, scamming behaviour running rife on the platform and the amounts of value and future value at stake, there should be no shadow of a doubt as to WHO is making any of the transactions.

I know many of the whales here who commonly use these services and with the amount they are targeted already, this should raise many concerns. There are also many people scamming but now they have a Steemconnect scapegoat 'It wasn't me!'.

I am hoping that as a community we can force action upon this very fast so I ask to please share this on and bring it to the attention of anyone who is potentially using Steemconnect as it might be important to them to understand that there is a potential security risk.

This may sound alarmist but I mean it to be precautionary as the whole idea of the steem blockchain and the future of its value depends on immutability, trackability and the ability to TRUST IT completely.

Thank you.

Taraz
[ a Steemit original ]

Sort:  

That's why I don't like steemconnect v2
Steeminvite uses v1 and will stay like that as long as possible.

There is a difference?

Originally sc didn't require sharing permissions,the signing happened in your browser.
When steemit took it over they decided to use the shared authority. (That's v2. They're still keeping v1 available right now, I hope for a long time). From a certain perspective it also makes sense. But it's up to the users to keep their auth list clean now, and having visible which authorites were used to sign the transaction would be very useful.

The problem with users doing this (at least currently ) means they have a lot of learning to do and must trust the app developers. As the space expands exponentially, this is going to cause many headaches with a few being very severe.

and having visible which authorites were used to sign the transaction would be very useful.

This should be a no-brainer and implemented as soon as possible I hope.

Thanks for explaining a bit more @pharesim, always appreciated mate.

Same thoughts i definitely thinks its up to us to keep our auth list clean as of now

Hoq can I wintness vote for you

I really agree with you

stemeet has brought us to share different histories, cultures, traditions and environments. steemit has been worldwide in our minds to share. We each have different friends and family to know and share experiences. Different from different traditions. always looking from eye to eye. About what we do not see for an opportunity. I am also grateful for what has been built in Steemit for all of us. Opportunity to share what we love and learn new things and find interesting people. I hope here a lot of friends Greetings steemian all my new guidance
Thanks @pharesim

Previously I apologize if commented, because it does not match the topic. But I am sure you are a good and caring person, I am very sure you are too great person of course, I am very motivated with you @pharesim
You love to travel, on the way you meet abandoned children, I am sure you are a caring, loving and loving person that children can smile at children, it will be nice even though the valentine moment has passed. I am sure you will want to be discouraged, if you do not mind visit my bloq, i hope you can give input to my writing and direct me @pharesim

Give a little smile (Save the children)

Hello. BRo.. Plz Reply me /

i don't understand one thing ...i login on decentmeme with steemconnect.. and after sometime i changed my password keys ...but still i can post using old keys ..how is that possible ...even i don't saved my new password keys to my browser..

not sure how that works to be honest. maybe someone else that reads through will know.

did you clear your cookies after the password change? decentmeme knows from a cookie that "it's you" using it and since you gave it posting permission via @decentmemes.app already it does not need any of your keys anymore. If this cookie is still there from before the password change, you can still post on decentmemes without entering your key again. Try on a different browser or in a private tab, then it should only accept the new keys.

I think you will have to deauthorize steem connect. But why this happening - not sure. I doubt this is as per Oathu2.0 also

a few days ago i read @demotruk post unfollow with @dlive via steemconnect. He also discusses the findings of such cases. you can see it below.

https://steemit.com/dlive/@demotruk/wtf-dlive

I will share this post to make people more careful. thanks for sharing.

I avoid and do not use any of those d- projects. They take massive beneficiary cuts and there's too many of them. Choose your apps wisely.

Indeed. I am unsure how the 'licence' for Steemconnect works but if anyone can create an app on it and it has a trackability flaw (my view), there is a lot of potential for harm on and off the platform.

further, just because the content is hosted on STEEM blockchain with a different interface, I don't understand what really is the value add. For censorship resistance, just putting the content on IPFS will help. There is no plagiarism checks as well. While I am a supporter of free knowledge sharing and do not agree with copy rights as such, respecting somone else's creative work is important as well.

Im sorry to say it but YOU ARE THE REAL TRANSACTOR. You have given them your posting key. Your posting key is "you".

Earlier today I realized what they want for their service and I realized that it very much do look like a scam project. Then your posts came in and it only assured me that it is the case. Unfortunately. I hope that they change their behaviour before I start streaming again:(

Yes, this is what I have figured and others have pointed out too. Without a breadcrumb left as an indicator, this is a huge problem for the platform in many different respects including public trust.

Yes agreed. One has to be super careful. And it also is very important to share the bad experience whenever it happens just like you have right now:)

Certainly worrying. I know @holoz0r and @thegoliath are using dlive.
You guys had any strange new posts in your feeds?

Many apps use Steemconnect and as far as I can tell, they can all at least follow and potentially post as those who sign in. It is just @dlive who have been caught out (so far) using the privileges badly. But it could run very deep if the possible loophole isn't closed soon.

And the more of those apps you use, the harder it is to point the finger at the culprit.
In this case, at least we know who followed on your behalf.

Well now that the cat is out of the bag, it is likely that some bad actors will take note and exploit it.

I haven't had anything new or bizarre in my feed. I've also not seen an increase in my "Following"numbers that haven't been by my authority.

I'd be very surprised if SteemConnect doesn't keep logs which can identify/prove who's responsible for this (that's presumably why 3rd party app developers have to make separate accounts that we don't 'own'). Of course, since it's not in consensus, we'd have to trust their integrity, but we're doing that in using SC enabled apps anyway.

As the platform grows exponentially, are you willing to trust integrity? I am not, that is why the inegrity of the blockchain is of paramount importance as it means I can trust without having a relationship with operators.

I think this is a very difficult dilemma for the community. Whether to promote SteemConnect as the best way to integrate 3rd party apps or trust users to handle their own key security appropriately. I really see both sides of this.

I wonder what storage overhead (as percentage) it would add to include which account with posting authority actually initiated the blockchain transaction?

I myself do not quite understand what you are talking about, I only blog and that is it, I have no technical knowledge, but I understand that you feel danger. I will ask my son @exyle and his friends the @blockbrothers if they understand and know what is going on.

Thanks, I am sure they will see it immediately. I actually threw @exyle the post in chat and asked him to tell you I mentioned you also. I guess it will go the other way around :)

Basically though, when logging into some of the app services they will be able to post as you without any way to know it was them and not you. That is a problem for many people and many future people.

Yes, I understand that part.
I called him on the phone. He is not at home at the moment, but he promised me to look at it. When he heard the name Steemconnect he said something like: " oh I think I understand the problem. So I hope he will contact you soon.

I asked one of the steemconnect developers directly and there is indeed no way to differentiate between you and the app you gave permition to post/follow/upvote etc. on your behalf.

The only noticable thing could be that the follow happens 3 times in a row as you can see on this page
https://steemd.com/@tarazkp?page=72
Below link would be one of the actual transactions (you get there by clicking on the number on page 72 so you can see the actual transactions.)
https://steemd.com/tx/e68f71445e56b33c142202b4d77d498eed7569ef

Apart from it being a douchebag move, you DO give them permission to do so when approving them through SteemConnect (it's not a steemconnect issue btw)

I realise that the douchery is not Steemconnect but without any way to tie the transaction to the douche, it enables more douchery.

Thank for the info. In my opinion, there should be a flag marking the app responsible. If they had followed child porn instead of themselves.. what then? What if another app with permissions used it to false flag a rival app?

I think the problem is that there are currently no ways to distinguish the difference between you or the approvee ... it is as if you yourself instigated the transaction ... it would take a modification of the steemcode i suppose to add hooks or flags to see if the post is 'on behalf of'

yes, well HF20 isn't done yet.

fair point. Let's hope this get's noticed. the more holes that get plugged over time the better.

Hi @eqko, this is not fully correct. steemconnect has posting authority on the account, but they use their key to sign transactions containing actions in your name. From this signature you still know if the operation was signed by your or by steemconnects private key.

The problem in this case is that steemconnect itself has posting authority on the app accounts authorized by the app users and they uses the steemconnect key to sign transactions. So you know that it came via steemconnect, but you can't tell for sure from the blockchain data which of the 3rd party steemconnect apps it was.

and where would you see this signature key ? I assume it’s in the transaction. How would you cross reference the signing key with the owner ?

the fact that it would be probably to’ve been signed by steemconnect instead of the user would already go a long way I suppose

This is the transaction from the example here:
https://steemd.com/tx/4ca0e947aaf443ef604c268ecb0c16d9630352c0
You can see a line "signatures" with a lengthy string. By feeding the this whole operation including the signature as a JSON string in for examples steem-python's transactions.verify() together with your public key, you'll know if it was you.

So it's all pretty technical and not easily visible , but at least it's there :/

THank you. How did you find it or did you scroll and scroll and scroll ?

No, I did a blockchain query for all your "follow" operations :)

nerd... :D

I am technically incapable but that is what I was hoping for. Thank you very much. Can you see anything in there that indicates it wasn't me?

Yes, it was signed by @steemconnect's key: STM8fjX2P5nwGk3q9zYLwsfYnG937CyB9TANP3SnnKcgK9vq46My5
However, since all of steemconnects app accounts have @steemconnect as posting authority, you can't tell which app it was (apart from the very obvious suspicion, though...)

yes. So Dlive could say it was Dtube that made the transaction ;) False flags on the blockchain. I am more concerned about if they had done or followed something else entirely. What then? I am a real person here.

they could, yes :)
Technically, you've given steemconnect any of your posting rights by signing up for the first app. This is to post or comment in your name, delete comments, up/downvote, set beneficiaries, disable curation rewards, limit post rewards , claim rewards, ... You have to trust steemconnect that they don't use that at all on their own.

Steemconnect then gives parts of these rights to 3rd party apps. Strictly speaking you have allowed dtube/dlive to change your followers when signing up, probably together with a couple of other permissions that were listed right before you entered your active key. Whether they use these permissions "responsibly" (what ever this is for them) is of course a different story....

Thanks for showing this and the education on block chain query

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise.

This isn’t true. This is not how SteemConnect, or oAuth, function.

Only the app you have actively authorize receive the rights to do what you have approved in the authorization process. No other app gets access to your keys.

Example: I use SteemConnect for Busy.org but never granted DLive access. DLive can do NOTHING to my account, even not force follow me accounts.

The great thing about solutions like SteemConnect is that they provide apps access to account operations without apps ever seeing your password. Instead the apps get an authorization token.

The problem is that apps like DLive request complete account access, even wallet transaction rights. As soon as they have posting rights they can also vote, follow, and unfollow for you.

can they comment also?

I haven’t checked the rights they want since I have no interest in DLive but I’m assuming that they have full account access.

Given that they can post through your account (to DLive), they can also comment. That’s a rather logical use of the posting key otherwise you couldn’t comment on DLive when logged in.

Could they ghost comment? Yes, if they wanted to do so.

this should be fixed, banned or a massive red flashing warning saying, 'we can fuck over your life if we want'.