A hole in the Blockchain: Steemconnect? (Please take the time it is important)

in #steemit7 years ago

steemconnect.PNG

Ok, this morning when I wrote the post about @dlive Force Following and pushing content, I didn't think through all of the potential ramifications of this. Now that I have had more of a think inspired by @personz comments an hour or so ago, I have to write this post.

Have you corroborated this with anyone else? And can you post more "proof"? This on it's own doesn't stand up as conclusive. @personz

No, I have no proof, can anyone find it for me? This is the blockchain, all the information for every transaction must be there. I have this from steemdb:

The only ones in there that are mine are those following the musician @benleemusic and @exyle's mum, @clio.

If someone with some blockchain exploring skills (@paulag or @miniature-tiger perhaps) is able to trace the actual blockchain transactions that would be great.

Now, as annoying as the force follow is, that is not the problem at all. The problem is that there is no way to indicate that the action and subsequent transaction isn't made by me as far as I am able to tell. This is a massive, gaping hole on an immutable blockchain.

Do you check every transaction recorded to ensure that it was actually made by you? Does @ned and @dan? Have they signed into Steemconnect anywhere?

Are you seeing the problem yet?

If there is no way for the transaction to be traced to the real transactor (@dlive in this case), that means that the it is attributed to me and I have no way to prove otherwise. I haven't been hacked, I haven't lost my keys, all I did was to use Steemconnect to sign in to a service.

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise. What happens if they do not like me, what happens if someone pays them to plant something somewhere on an obscure post, what happens if I was a politician or celebrity?

I like conspiracy theories so let's create a quick scenario worthy of @v4vapid.

I am a young politician running for office and have a Steem account. I sign into @dlive to deliver some speeches for my fans. @dlive can now follow whoever they like and post as me. Someone running against me decides to skew the game. They create a few alts, set up some very questionable material in an obscure corner of the blockchain and pay @dlive to post under my name. With the flood of campaing actions I am making, will I notice? Perhaps they will introduce a few confessions, upload a few inappropriate images. At this point, they can either leak it to the press or use it to blackmail me. How can I fight it on an IMMUTABLE blockchain?

Blockchain technology is supposed to protect us from this possibility, it is meant to save us from fake news and false information. It cannot do that if I can't even prove if the transactions on the blockchain are mine or not.

From what I understand, @dlive has been pretty quiet about this so far and it is a closed project (with a massive Steemit delegation). How I see the options going forward:

  1. Introduce a marker to Steemconnect ASAP and cross fingers
  2. Shut down Steemconnect ASAP until the marker is created

This is a gaping hole in my opinion (if there really is no way to track it) and MUST be treated as such and with speed and decisiveness. With the amount of poor, scamming behaviour running rife on the platform and the amounts of value and future value at stake, there should be no shadow of a doubt as to WHO is making any of the transactions.

I know many of the whales here who commonly use these services and with the amount they are targeted already, this should raise many concerns. There are also many people scamming but now they have a Steemconnect scapegoat 'It wasn't me!'.

I am hoping that as a community we can force action upon this very fast so I ask to please share this on and bring it to the attention of anyone who is potentially using Steemconnect as it might be important to them to understand that there is a potential security risk.

This may sound alarmist but I mean it to be precautionary as the whole idea of the steem blockchain and the future of its value depends on immutability, trackability and the ability to TRUST IT completely.

Thank you.

Taraz
[ a Steemit original ]

Sort:  

That's why I don't like steemconnect v2
Steeminvite uses v1 and will stay like that as long as possible.

There is a difference?

Originally sc didn't require sharing permissions,the signing happened in your browser.
When steemit took it over they decided to use the shared authority. (That's v2. They're still keeping v1 available right now, I hope for a long time). From a certain perspective it also makes sense. But it's up to the users to keep their auth list clean now, and having visible which authorites were used to sign the transaction would be very useful.

The problem with users doing this (at least currently ) means they have a lot of learning to do and must trust the app developers. As the space expands exponentially, this is going to cause many headaches with a few being very severe.

and having visible which authorites were used to sign the transaction would be very useful.

This should be a no-brainer and implemented as soon as possible I hope.

Thanks for explaining a bit more @pharesim, always appreciated mate.

Same thoughts i definitely thinks its up to us to keep our auth list clean as of now

Hoq can I wintness vote for you

I really agree with you

stemeet has brought us to share different histories, cultures, traditions and environments. steemit has been worldwide in our minds to share. We each have different friends and family to know and share experiences. Different from different traditions. always looking from eye to eye. About what we do not see for an opportunity. I am also grateful for what has been built in Steemit for all of us. Opportunity to share what we love and learn new things and find interesting people. I hope here a lot of friends Greetings steemian all my new guidance
Thanks @pharesim

Previously I apologize if commented, because it does not match the topic. But I am sure you are a good and caring person, I am very sure you are too great person of course, I am very motivated with you @pharesim
You love to travel, on the way you meet abandoned children, I am sure you are a caring, loving and loving person that children can smile at children, it will be nice even though the valentine moment has passed. I am sure you will want to be discouraged, if you do not mind visit my bloq, i hope you can give input to my writing and direct me @pharesim

Give a little smile (Save the children)

Hello. BRo.. Plz Reply me /

i don't understand one thing ...i login on decentmeme with steemconnect.. and after sometime i changed my password keys ...but still i can post using old keys ..how is that possible ...even i don't saved my new password keys to my browser..

not sure how that works to be honest. maybe someone else that reads through will know.

.

I think you will have to deauthorize steem connect. But why this happening - not sure. I doubt this is as per Oathu2.0 also

a few days ago i read @demotruk post unfollow with @dlive via steemconnect. He also discusses the findings of such cases. you can see it below.

https://steemit.com/dlive/@demotruk/wtf-dlive

I will share this post to make people more careful. thanks for sharing.

I avoid and do not use any of those d- projects. They take massive beneficiary cuts and there's too many of them. Choose your apps wisely.

Indeed. I am unsure how the 'licence' for Steemconnect works but if anyone can create an app on it and it has a trackability flaw (my view), there is a lot of potential for harm on and off the platform.

further, just because the content is hosted on STEEM blockchain with a different interface, I don't understand what really is the value add. For censorship resistance, just putting the content on IPFS will help. There is no plagiarism checks as well. While I am a supporter of free knowledge sharing and do not agree with copy rights as such, respecting somone else's creative work is important as well.

Im sorry to say it but YOU ARE THE REAL TRANSACTOR. You have given them your posting key. Your posting key is "you".

Earlier today I realized what they want for their service and I realized that it very much do look like a scam project. Then your posts came in and it only assured me that it is the case. Unfortunately. I hope that they change their behaviour before I start streaming again:(

Yes, this is what I have figured and others have pointed out too. Without a breadcrumb left as an indicator, this is a huge problem for the platform in many different respects including public trust.

Yes agreed. One has to be super careful. And it also is very important to share the bad experience whenever it happens just like you have right now:)

Certainly worrying. I know @holoz0r and @thegoliath are using dlive.
You guys had any strange new posts in your feeds?

Many apps use Steemconnect and as far as I can tell, they can all at least follow and potentially post as those who sign in. It is just @dlive who have been caught out (so far) using the privileges badly. But it could run very deep if the possible loophole isn't closed soon.

And the more of those apps you use, the harder it is to point the finger at the culprit.
In this case, at least we know who followed on your behalf.

Well now that the cat is out of the bag, it is likely that some bad actors will take note and exploit it.

I haven't had anything new or bizarre in my feed. I've also not seen an increase in my "Following"numbers that haven't been by my authority.

I'd be very surprised if SteemConnect doesn't keep logs which can identify/prove who's responsible for this (that's presumably why 3rd party app developers have to make separate accounts that we don't 'own'). Of course, since it's not in consensus, we'd have to trust their integrity, but we're doing that in using SC enabled apps anyway.

As the platform grows exponentially, are you willing to trust integrity? I am not, that is why the inegrity of the blockchain is of paramount importance as it means I can trust without having a relationship with operators.

I think this is a very difficult dilemma for the community. Whether to promote SteemConnect as the best way to integrate 3rd party apps or trust users to handle their own key security appropriately. I really see both sides of this.

I wonder what storage overhead (as percentage) it would add to include which account with posting authority actually initiated the blockchain transaction?

I myself do not quite understand what you are talking about, I only blog and that is it, I have no technical knowledge, but I understand that you feel danger. I will ask my son @exyle and his friends the @blockbrothers if they understand and know what is going on.

Thanks, I am sure they will see it immediately. I actually threw @exyle the post in chat and asked him to tell you I mentioned you also. I guess it will go the other way around :)

Basically though, when logging into some of the app services they will be able to post as you without any way to know it was them and not you. That is a problem for many people and many future people.

Yes, I understand that part.
I called him on the phone. He is not at home at the moment, but he promised me to look at it. When he heard the name Steemconnect he said something like: " oh I think I understand the problem. So I hope he will contact you soon.

I asked one of the steemconnect developers directly and there is indeed no way to differentiate between you and the app you gave permition to post/follow/upvote etc. on your behalf.

The only noticable thing could be that the follow happens 3 times in a row as you can see on this page
https://steemd.com/@tarazkp?page=72
Below link would be one of the actual transactions (you get there by clicking on the number on page 72 so you can see the actual transactions.)
https://steemd.com/tx/e68f71445e56b33c142202b4d77d498eed7569ef

Apart from it being a douchebag move, you DO give them permission to do so when approving them through SteemConnect (it's not a steemconnect issue btw)

I realise that the douchery is not Steemconnect but without any way to tie the transaction to the douche, it enables more douchery.

Thank for the info. In my opinion, there should be a flag marking the app responsible. If they had followed child porn instead of themselves.. what then? What if another app with permissions used it to false flag a rival app?

I think the problem is that there are currently no ways to distinguish the difference between you or the approvee ... it is as if you yourself instigated the transaction ... it would take a modification of the steemcode i suppose to add hooks or flags to see if the post is 'on behalf of'

yes, well HF20 isn't done yet.

fair point. Let's hope this get's noticed. the more holes that get plugged over time the better.

.

and where would you see this signature key ? I assume it’s in the transaction. How would you cross reference the signing key with the owner ?

the fact that it would be probably to’ve been signed by steemconnect instead of the user would already go a long way I suppose

.

THank you. How did you find it or did you scroll and scroll and scroll ?

.

nerd... :D

I am technically incapable but that is what I was hoping for. Thank you very much. Can you see anything in there that indicates it wasn't me?

.

yes. So Dlive could say it was Dtube that made the transaction ;) False flags on the blockchain. I am more concerned about if they had done or followed something else entirely. What then? I am a real person here.

.

Thanks for showing this and the education on block chain query

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise.

This isn’t true. This is not how SteemConnect, or oAuth, function.

Only the app you have actively authorize receive the rights to do what you have approved in the authorization process. No other app gets access to your keys.

Example: I use SteemConnect for Busy.org but never granted DLive access. DLive can do NOTHING to my account, even not force follow me accounts.

The great thing about solutions like SteemConnect is that they provide apps access to account operations without apps ever seeing your password. Instead the apps get an authorization token.

The problem is that apps like DLive request complete account access, even wallet transaction rights. As soon as they have posting rights they can also vote, follow, and unfollow for you.

can they comment also?

I haven’t checked the rights they want since I have no interest in DLive but I’m assuming that they have full account access.

Given that they can post through your account (to DLive), they can also comment. That’s a rather logical use of the posting key otherwise you couldn’t comment on DLive when logged in.

Could they ghost comment? Yes, if they wanted to do so.

this should be fixed, banned or a massive red flashing warning saying, 'we can fuck over your life if we want'.

@tarazkp I assure you, you are not being an alarmist. As frequent user of steemconnect mysef, I find that I am being a bit lax in using steemconnect. Probably because its so convenient to use and for that reason I tend to forgot that I am giving others permission to use my account. Thanks for reminding me of this issue. A pleasant day to you.

That has been one of my concerns in using SteemConnect. Especially if it's being exploited, that's even more concerning, especially since there are so many applications that use it.
So are they storing the passwords? If you disconnect the account, does it delete the password from their system? How do you disconnect your account?

Blockchain is just a tool. Any tool can be manipulated and used as an extension of a man's will. The modern lunacy of seeking the Messiah in technical baubles has blinded men to the simple reality that any system can be exploited, any tool can be reshaped, and any technology has within it the seeds of its own destruction. Being dependent on a system or a tool results in men being much less than they were and willing slaves to those who can master the technology.

Of course. In this case, the tool is flawed but fixable.

Maybe the "flaw" is by design.

well said ...

Okay now this is a terrifying thought. I'm a frequent user of steemconnect and the thought of my account being used and abused by others isn't pleasant at all. I really hope that steemconnect is as trustworthy as they said. @tarazkp thanks for bringing up this issue, for the sake of the comunity we need to question everything and be vigilant.

I was also feeling nonsecure about STEEMCONNECT, accessing all your resouces to 3rd party sites.
I guess Steemit should keep checklist on all websites and gets approval before takes this feature. some may destory the hardworkers and sometime abusers or cheaters can use it as false as there is GAP in blochchain.

Your scenario is certainly a possibility because you can't control human nature but you can anticipate certain behaviors and plan for it. I am attracted to steemit because of it's potential to eliminate unverified propaganda in the blockchain!

Indeed this is a very serious issue, and something we need clarification for. Steemconnect is something we always use when we need to transact or give permission to apps. The reason for it is because its really convenient. Therefore, we need someone to answer our questions and remove our doubts. @tarazkp thanks for giving us ignorant folks awareness to this sensitive issue.

Note to myself: Stay away from steemconnect!

I respect your ideas and i like it very much. you are very creative...I'm waiting for your next content @tarazkp

great thinking...........creative mind.........keep it up

wow nice my friend, great information to detail it.

Yes, that's a real concern.

There are other things as well that needs the attention of the founders. Like the whale accounts downvoting small accounts for no reason.

 7 years ago  Reveal Comment

Please upvote my post @newsflash thanks.

strange stuff hey?

thanks for the information I will put myself in detail to read it. regards

thanks for letting us know. greetings and blessings

nice post

a very nice information, to read it thoroughly, thank you very much

great information friend

i think you create a important post.......i impressed to see your post......i hope everybody like your post...thanks for shear it..

the information is very good, your work is very good and the ideas you have done are great for the users in steemit.thanks @tarazkp

Very good post,, i like it

thanks @tarazkp, for poin out a issue, i hope this loophole should be solved as soon as possible.

This is something good for a newbie like me to read. It's hard to tell what to do with certain things like apps and this has made me that much more conscious. Scary stuff.

Well, this a very good question. I used Steemconnect a couple of times, but it didn't like the idea that i had to gave my private key and was always suspicious of it as well as what they might do with it.
About your article, know the question is what the people behind it will do to solve this question!

Interesting. Just revoked posting rights from all apps, thx. Resteeming!

Wait a...

It signs me right out. Signing back in in asks me for their rights again. We have to revoke their rights over and over again using their services?

Thanks for supporting my blog the other day @pharesim appreciated it.

I've been on Steemit for 2 weeks now, and this morning when I tried to log onto DLive to up-vote someone's performance there, I noticed that SC came up, and then DLive wanted my owner or active key, and would not accept my posting key. So I backed out.

I'm not sure if what you've written about here would be related to this? When I did a search for "why doesn't DLive accept posting key" yours was one of the articles that appeared. One thing for sure, I'm glad I read your post, because of your revelation that these guys can take over any account! It was only my newbie caution-inspired knowledge to never use our active or owner keys for another site, that saved me from what you've written about.