Be careful when using SteemConnect - call to busy.org for necessary changes!!!

in #steem7 years ago (edited)



If you ever used @busy.org, @smartsteem, @dtube, @dmania or @utopian-io or any of the other third party applications, you have come into contact with SteemConnect.
Login once and every time you go back to the application it automatically knows who you are and logs you into the application.

First off, great tool

Let me start by saying I applaud the efforts of @busy.org in building this tool.
A well-working, properly designed tool, which all apps can use, will reduce the risk of everyone creating their own authentication package, and reduces the risks of badly written code and stolen keys.

However...

Now here we come to the crux of the matter. If you don't logout of the app you were using, the next time it automatically sees who you are and logs in using your information. This is great, it saves time to reenter your password and you don't need to know all these keys by heart, which is quite impossible.

But it is a hassle when you want to login under another account.

Basically, you can't! If you choose "logout" and then "login", SteemConnect uses the last account used for this app, on this computer!
Unless you remove the cookies that SteemConnect saves, you're screwed and cannot change accounts. This has been mentioned in a few posts already, when people wanted to change accounts, but so far nothing has been done about this.

Not my problem

Do you care about this, if you only have one account? Probably not, nothing to see here, just keep walking.

But it IS your problem, or potentially, it can become your problem!

When was the last time you used a public computer, or the computer of a friend?
On vacaction, do you only use your own computer or tablet, or do you also go onto public computers sometimes? Maybe to print boarding passes, and while I'm at it, let's see how my smartsteem is doing? Or do you want to upload that great holiday video on d.tube?

If you do, the next person to use that computer will have immediate access to this app, with your data and can do whatever they want with it. Maybe transfering all of your Steem and SBD to their own account if you've used busy.org for instance on that computer, or place a post which will get you downvoted into oblivion? Even if you remembered to sign out of busy.org, the next person on that computer will still be automatically signed into YOUR account.

With the addition of applications running on the steem blockchain, and acceptance of SteemConnect, this problem will only grow, until we do reach a situation where someone looses their keys. The resulting blowback can be huge, especially since this problem is known.

Well, at least, with this post it is ;-)

I call upon @busy.org to make the approriate changes to SteemConnect, so the cookie expires quickly, but also to remove the cookie when someone logs out of a program.

Make it so you can switch accounts and the risk of stolen keys is minimized.


Let's make this true again.

#UPDATE:
with thanks to @fitinfun let me add the following: you can use an incognito (Google Chrome) or private (Firefox) window. This will not store the information, so nothing is left behind when you're done.
Do make sure that you have the appriopriate keys with you (on paper).
You can open an incognito or private windows by selecting the menu in the upper right hand side of your browser (the three lines or three dots over each other) and select "New Private Window" or "New incognito window".

Sort:  

This is a great idea. Thanks for sharing

I have not used any of these services, but I do use steemconnect. I always need to login to it when I get there. I also use an incognito window for separate accounts and that seems to work out. Busy is on my long list, but I just have not yet tried.

I'm coming to you from @kryptonia with the same user name.

But when you login do you have to enter your username?
I will try an incognito window to see if I can use multiple accounts.

The problem is that most people have no clue, and will just login wherever they are, with all risks involved.
Basically it's bad insecure programming.

Yes - I do always have to enter my username on steemconnect. I have used it in hotels and hostels and then clear the cache before I leave :)

Wow, you're even more paranoid than me, didn't think it was possible ;-)

i used sometimes busy.org. Thank you for sharing from kryptonia @reatimtim

What is a good way to store my posting and active key without using google drive or similar tool? Is it possible to open busy in the incognito window and store my keys. im only doing this on my personal computer. Maybe my smart phone too. Any advice would be greatly appreciated. Thanks.

The way I do it is quite easy, but also secure.
I have a text file with all my keys/passwords on my local computer, in a protected directory.

Using 7zip, I create a password-protected zipfile. This password is really strong, no chance someone accidentally figures it out.

I have a copy of this file on google drive (synced with my pc and in the cloud), and a copy in my mail, in concepts.

When you use an incognito window it will not store your passwords/keys, it will require you to enter all information every time.

Thank you rmz for that helpful information. I appreciate you.

Great ideal the tips are super helpful. Kryptonia username @giftefwords.

woland76 on Kryptonia

Thank you; don't forget to resteem to receive the SUP.

Thank you for sharing.kryptonia ID @lynlene

Ur post so useful, thank you!
From Kryptonia : ziggy

Great reminder @rmz ..thanks for sharing from jason21 of kryptonia

Thank you; don't forget to resteem to receive the SUP.

great ideal kryptonia id @everdope

Thank you for this great article. It gives us warning!! Read, commented, upvoted and resteemed by rubelynmacion of krypto

Thanks for this information. kryptonia id @chetachi26

Thank you; don't forget to resteem to receive the SUP.

nice post,kryptonia id jamescrusader44

Thank you; don't forget to resteem to receive the SUP.

Spread Kryptonia in all the world. Kryptonia username @dollarfree

Great post, kryptonia id grace234

Thank you; don't forget to resteem to receive the SUP.

Excellent idea, learn something new every day. Each time I go into banking I clear cookies and cache but never thought to use this "private window".

Once a week a major clean up and backup, security is important I shudder to think of how one is scammed so easily of late, also noticed how it holds the password @rmz

Kryptonia: @joanstewart1

Thank you; don't forget to resteem to receive the SUP.

You got a 20.83% upvote from @upmewhale courtesy of @rmz!

Earn 100% earning payout by delegating SP to @upmewhale. Visit http://www.upmewhale.com for details!

Thank you so much for the warning, especially about using public computers - I hadn't thought of that. Upvoted, resteemed and commented Kryptonia: DeathlyHorror

Great Article, thanks for sharing kryptonia id @duquejunalyn

Thank you; don't forget to resteem to receive the SUP.

nice post
kryptonia @vote-transfer

Thank you; don't forget to resteem to receive the SUP.

Thanks for the info bro. from Kryptonia @juancarlos2906. Additionally, your post is very educational, and more so now that there are so many pirates looking to steal steemit accounts. There are cases of unreliable bots and the worst thing is that steemit ceo has done nothing to prevent the proliferation of this scourge. Greetings from Venezuela and I will follow you for next post.

Thank you for this helpful information..
Kryptonia id @ludevielucero

Very nice article..thanks for sharing. 😊
Kryptonia @jenzel

What if busy. Org is actually designed to collect keys??? Just saying..@joshie3739

Should probably use Incognito mode/Private browsing when logging into a different computer.

Thank you for sharing 😊
Kryptonia @rosemaritess

nice post
upvote , resteem
kryptonia@hokkaido