You are viewing a single comment's thread from:

RE: Automated votes abuse on SteemConnect?

in #steemconnect7 years ago (edited)

Neither SteemConnect nor Utopian have access to any of your keys.

But they have access to the account to which you delegated your full posting authority (via the ability to create 'tokens' that can upvote/post for you), so it's exactly the same as them having your posting key. Hence what happened today.

Sort:  

It's more safe for an app to handle tokens than handle your private key. Tokens expire after 7 days or when user revoke it and give only a scoped permission to do some operation. A token may allow only 'vote' for example.

I'm glad you guys clarify what really happened and why SteemConnect is still to be trusted. I'm not seeing that from Utopian. They seem to focus more on damage control and blaming the hacker. In the end it was their security which proved insufficient. I don't want to play blame games, but when security is involved straightforward honesty is what works best. It's a pity SteemConnect has been blamed incorrectly.

I believe I may be the cause for believing we claim SC2 was to blame. While we did encounter an issue with not being able to revoke the tokens, we shouldn't have leaked them in the first place. Steem Connect was not, in any way, to blame for this leak.

This was my stance alone and did not represent Utopian-io as a company. I apologize for causing misinformation.

No, not at all. I was already getting information from other sources. You see, this is just what happens when people go in panic mode. The incomplete news spread too fas and became FUD. Crisis communication is an art in itself, we can't expect that to come from a bunch of enthusiasts. It's a pity this communication has to be made. If everything went perfect it wouldn't have been necessary.

I repeat: "I don't want to play blame games" ;-)

May you always succeed in helping others

@jefpatat SteemConnect was never blamed. Totally the opposite. You have evidences in Discord and in this post https://steemit.com/utopian-io/@utopian-io/utopian-io-hack-may-3rd-may-4th-2018-no-wallets-or-keys-compromised.

@elear Maybe I worded my comment incorrectly. Please not I explicitely mentioned 'I don't want to play blame games'. You know I value you and Utopian. I was there to help at the very start, remember? Before the official announcement came there was a lot of FUD going around, both on Discord and in steem blog posts. It was not clear if the issue was with one of the apps that use SteemConnect or if the issue was with SteemConnect itself. All over the place it was advised to revoke all tokens, not only for Utopian. So, I didn't imply to say SteemConnect was directly blamed by you guys but it got a lot of negative publicity. That's most probably the very reason for this post. In the meantime your post has been updated to refer to this post.

SteemConnect is something very important to the ecosystem and there was no (big) issue with it. At the time of writing I missed some emphasis on this. But then again, you are correct you shouldn't emphasize on negative publicity for SteemConnect if you didn't initiate it yourself.

I would never harm SteemConnect or Busy even by mistake. They have been a great help for us. There was uncertainty and people made guesses. I made sure the post removed any chance for users to guess the problem was SC.

 7 years ago  Reveal Comment

There is 2 differents ways. Both have advantages and downsides.

Everything can be done client side like it's done on dtube and steemit

Not everything, for example you canot do scheduled post on client side.

You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.

You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.

Nobody ever gets your key, you don't need to delegate any authority to anyone.

The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an access_token which expire after 7 days or get manually revoked but users keys are not exposed.

May you always succeed in helping others

First you say client side do not need key handling, then you say they should code a proper key storage ...
Isn't it contradictory ?

It really depends on a purpose of the app. For an interface like Steemit or DTube there is no need to store keys on the server side nor access tokens. But there are certain types of apps that need that, and as far as I know, it is way more secure to store OAuth2 tokens than private keys.