You are viewing a single comment's thread from:

RE: A hole in the Blockchain: Steemconnect? (Please take the time it is important)

in #steemit7 years ago (edited)

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise.

This isn’t true. This is not how SteemConnect, or oAuth, function.

Only the app you have actively authorize receive the rights to do what you have approved in the authorization process. No other app gets access to your keys.

Example: I use SteemConnect for Busy.org but never granted DLive access. DLive can do NOTHING to my account, even not force follow me accounts.

The great thing about solutions like SteemConnect is that they provide apps access to account operations without apps ever seeing your password. Instead the apps get an authorization token.

The problem is that apps like DLive request complete account access, even wallet transaction rights. As soon as they have posting rights they can also vote, follow, and unfollow for you.

Sort:  

can they comment also?

I haven’t checked the rights they want since I have no interest in DLive but I’m assuming that they have full account access.

Given that they can post through your account (to DLive), they can also comment. That’s a rather logical use of the posting key otherwise you couldn’t comment on DLive when logged in.

Could they ghost comment? Yes, if they wanted to do so.

this should be fixed, banned or a massive red flashing warning saying, 'we can fuck over your life if we want'.