REMINDER: STEEMIT Scripts available to "Hide/Show ReSTEEMS", enable your "Post Vote Slider", and to "Vote Past Payout"!steemCreated with Sketch.

in #steemit7 years ago (edited)

I just came across the recently released Chrome Extension @steem-plus by @stoodkev, which appears to offer some similar functionality to the TamperMonkey scripts I released as open-source several months back. While I'm sure @stoodkev's Chrome extension is probably safe to use, one should be very cautious using any browser script or extension that can access your STEEMIT keys, especially if it's closed source!

And while @stoodkev did respond back to me that he does plan to release the code on github, using extensions with STEEMIT remains a potential concern for many, as was described in my post first introducing my "Hide ReSTEEMS" script:

... Then, in the past week, @itchykitten came up with a slick solution in the form of a Chrome extension called exstreemit that would add a "show / hide resteems" button to each profile page that you view. However, I anticipated from my own habits that not everyone would be all that comfortable installing the feature as an extension, even if @itchykitten released the complete source code on github, as you can see here. From some comments I've seen, it does seem that at least a few people would rather not install this feature as an outright extension.

In addition, several others noted their concerns in the comment section as well, despite the fact that the complete code to my script was made publicly available from the get-go:

@divyne: Just a warning: Always be very careful with chrome plugins / tampermonkey scripts /whatever ... these things have way more access rights then they should have! I know, because if written some shit to mess with colleagues at work (all in good fun) .... seriously .... be careful

@alexpmorris: that's always an excellent warning. it's why I tried to keep the script as simple as possible so it's easy enough for people to follow and understand, if they're so inclined to do so.

@nspart: This needs to be built in to Steemit as functionality. Most people will not add this script.

@alexpmorris: No argument from me there, except it's been over a year and one hasn't been implemented yet. However, if you'd be more comfortable with it, you can try using @itchykitten's Chrome Extension instead, or just wait 'til STEEMIT releases something.

I'm just trying to give people an option in the meantime, fully open-sourced in an easy-to-follow script so they can be comfortable with it. If you have any better ideas beyond that, I'm open to suggestions! :)

What, me worry?!

Despite the fact that I had designed and openly released my scripts in a way that would address these exact security concerns, I still had multiple comments from individuals reminding others to be especially careful when installing scripts and extensions that could potentially hijack your STEEMIT keys. And rightly so, as it's a critically important issue for all STEEMIT users to be aware of!

However, there was practically no discussion on any of the @steem-plus posts of the potential dangers or security issues related to using a new Chrome extension with STEEMIT, not to mention one that currently remains closed source, and posted to a new STEEMIT account seemingly created for the sole purpose of presenting this extension. Interestingly, the posts did attract quite a few upvotes from many well-respected fellow STEEMIANS, so it is also possible that they are already familiar with @stoodkev and comfortable with his work.

As such, the extension is probably fine, and will in time likely serve as an additional valued option for those interested in these features, especially once the source code is released and can be installed directly from its github repo. However, I just wanted to make sure that everyone was aware of the other options, along with the potential risks involved in using any such "plugins". It's better to be safe than sorry, and a better understanding of the risks of using STEEMIT and how to better protect yourself from them certainly can't hurt. Here are two great posts, one by @gtg, and another by @timcliff, to that effect:

Post Vote Slider Woes...

Users should also be aware of problems that may arise using the Post Vote Slider, especially for those with extremely low SP (Steem Power). That's why my script generally limits the slider to those with at least 72 SP, although some users have successfully lowered this value (it's a simple constant in the script), understanding the potential problems they may face by doing so, as described in the post I wrote upon releasing the script:

First, I just wanted to make one thing clear. Lately many low SP users have experienced bandwidth issues interfacing with the blockchain. While there are several initiatives in the works to alleviate some of these issues, be aware that the more transactions you make on the STEEMIT blockchain (ie. more votes, especially many very small votes) the greater the chance you may be rate-limited for a period of time. If this happens to you, just wait a little while for your account to recover. Also consider voting a bit less frequently, and with more vote power as well.

You can check your current "Bandwidth Remaining" on steemd.com, or if you're hanging out in one of the Discord Chatrooms such as Whaleshares where WhaleBoT "lurks", 🐳he'll🐋 show you the approximate bandwidth you have remaining along with your vote power (ie. "whalebot vp alexpmorris").

So by comparison, what do my scripts do?

For those unfamiliar with TamperMonkey, it's a very popular userscript manager, available for Chrome, Safari, Opera Next, and Firefox. The scripts can easily be added to your TamperMonkey "Dashboard" as just another script to run, complete with source code as well so you can be quite certain there's no tamper "monkey business" going on! 🙊

I've included the full links at the end of this section for reference, but in summary, the scripts offer the following features:

  • "Hide ReSteems" -- "Hide ReSTEEMS" adds a new button to all the feed pages, so that you can quickly and easily toggle all resteems. This is a feature that I personally use very often, especially when trying to catch up on upvoting content by those I follow. I can quickly and easily target the posts they wrote. When I'm done "catching up", I click again to "show resteems", and see if I'm interested in upvoting any of their resteems. The key, however, is that I don't miss any of the posts of those I'm actually following!



  • "Post Vote Slider" -- This enables the post vote slider for steemians with over 72 SP, and also provides users with better upvote notifications. It works on posts and comments alike, and you can tell it's active by the upvote circle turning a slight shade of yellow.

  • "Vote Past Payout" or "Vote Payment Declined" -- This voting "feature" allows you to vote for a post past the 7 day payout window, as well as vote on posts that are designated as "declined payout"! This feature only works if you are reading the full post, and is achieved by scanning all the author's comments for one that has yet to expire. As long as a post still contains at least ONE ACTIVE COMMENT, whether the post is 1 week or 6 months past payout, the "Past Payout Monetizer" will find and target THAT COMMENT for an upvote instead! And as simply as that, you can easily reward the author for their hard work, even if you've discovered it months after the first payout!

SteemitPostVoteSliderAndPastPayoutMonetizer-Video-HowTo.gif

For the complete posts on how to install and use the scripts, please refer back to the original posts here:


For those of you who are already familiar with TamperMonkey and don't want to go through more posts to give these scripts a try, you can easily install either or both scripts directly from greasyfork.org:

Script #1: https://greasyfork.org/en/scripts/31120-hide-resteems
Script #2: https://greasyfork.org/en/scripts/31619-steemit-post-vote-slider-and-past-payout-monetizer

You can also find both scripts on github.com as well:

Script #1: https://github.com/alexpmorris/HideResteems
Script #2: https://github.com/alexpmorris/SteemitPostVoteSliderAndPastPayoutMonetizer

If you plan to use both scripts, also make sure that "Hide ReSteems" loads first. If it's running in the correct order, when you click the TamperMonkey extension logo, this is what you should see:


In conclusion...

I hope you found this post helpful in better understanding STEEMIT, along with some of the options available to you to improve your STEEMIT "user experience", while doing so in as safe and cautious manner as possible!


As always, I appreciate your upvote, your follow and all your comments!

Sort:  

You re right about the potential risk so I've just put on Github and posted to explain how to use it in developer mode.

Great to see that you released the code @steem-plus, that will definitely make people more comfortable and willing to try it out. It's also interesting how each developer has their own unique approach, which some users may prefer over another, so different implementations are always welcome and still add value in their own way! :)

https://github.com/stoodkev/SteemPlus

What are your thoughts about @armandocat's Extension
Steemit More Info He has posted the source on github.

Privacy - Do I steal your data?
I do not access your private keys. The only way I could do it, is if you go to your wallet page and click on "show private key". But I don't do it!Should you trust me? Well, I believe is better not to trust anyone. That's why the source code of the extension is available on github and you can (and you are encourage to) look and study it!

The way it works is by scraping the webpage and the url of the page you are looking at to extract your username and the username of the user you are looking at. Then it uses steem-js to get informations about that user. This process doesn't involve any private key! In fact, you can see informations of other users as well, even if you obbiuvsly don't know their private keys.

Definitely looks like a great piece of work he's done. I had thought of adding some of those features (such as the votepower value, etc), though I ended up putting them into my Discord WhaleBoT (used by well over a dozen STEEMIT-related discord chat rooms now) instead, since I was hesitant to add too much more "weight" to the web interface. For example, while he is packed in a whole lot of new features, the javascript code alone is over 1.3 megabytes, versus my two scripts coming in under 20 kb!

Regardless, it's still really cool what he put together, not to mention that he's already released the complete code on github, along with the relevant "security" warnings and "caveat emptors". I still have a "thing" for using the features as an extension, though. But given the scope of what he put together, it probably was the correct way to go in this case. And of course, if it makes sense to do so, perhaps some of the simpler features could still be ported into a simpler TamperMonkey script as well.

Alex, why the need for a private key for these scripts? Those scripts are not posting for us and they live in a sandbox or?

my scripts don't need access to any private keys, because they hook into STEEMIT's post voting methods.

HOWEVER, any script that runs inside the STEEMIT.com browser "sandbox" can potentially access any of the same private keys that STEEMIT can.

Why should they run inside that sandbox?

how else would they modify the GUI, even if only to add a single button such as "hide resteems" along with the javascript code to hide/show resteemed elements?

Well as I'd imagine sending everything that has to be signed in a message to a private memory space you'd do the same for objects which need to modified. I'd believe you if you'd say that it wouldn't be very efficient and practical but from a security standpoint. If we'd be talking about private keys to big funds then I would let my private keys live in an encrypted vault like KeyChain on MacOS and just send messages to be signed through the sandbox back and forth. But in any case thanks for explaining, I should probably write up a post about it and research this topic. It's been years I've looked at these problems so...

But indeed now I realize that you'd have to authorize everything by hand if you were to send messages anyway which would make the whole thing unpractical.

It would be fairly trivial for an update to the extension to intercept your password as you logged in.

You're right, that's why I suggested people to install the extension by downloading the project code from github and install that instead of the official chrome extension. The chrome extension is auto updating when a new version is released. Of course, the downside is that every time a new versions comes out, you need to install it manually. I didn't even want to publish the extension on chrome extension store, but lot of people asked me to do that, so I did it!

I guess now anyone has the ability to choose the way they prefer!

Kudos to you for offering it that way. You might want to suggest that people login to Steemit with only their Posting Key.

I would like to know as well.
first time I have used an extension.

I tried the "Steemit More Info" extension and it definitely does many cool things, though as I expected, it does add a bit of "weight" to STEEMIT. Also, it does seem to work with my "Hide ReSteems" script, but not with my "Post Vote / Expired Post" script, since my script creates a new vote slider, and the "Steemit More Info" extension also modifies some elements targeted by my script, while also creating its own "voting bar" as well.

I really enjoyed and appreciated the voting bar script you made for lower SP users. That enhanced my steemit experience and allowed me to upvote more often without draining my VP. I've been telling people about the script, getting the word out.

I still use the "hide resteem" script, it works even with the tile setting in "more info", although there are blank spaces for the resteems.

Do you see any privacy or security concerns with the "Steemit More Info" extension? @ironshield

Glad you're making use of the scripts and find them so useful! As for the "Steemit More Info", I think it's most likely safe to use, especially given all the code's on github. To thoroughly audit it though, you'd have to go through all the included javascript files and libraries.

I gave it a quick run through, and I felt comfortable enough try it out, if that's any indication. As such, you could use his extension in conjunction with my "Hide ReSTEEMs" toggle. I also noticed that it worked with the tiles as well!

Unfortunately, as I mentioned it doesn't currently work with my "Vote Slider" script, though perhaps at some point he'll consider adding some of these features directly into his extension as well.

quick note...it appears to me that the biggest danger comes from using a browser extension at all, because it could be updated at any moment to include new code. Downloading the source code and running the extension yourself in dev mode only takes a few minutes more, and it won't auto-update...so if somebody compromised my chrome dev keys or the 'steemit more info' dev keys, they could push nasty updates out automatically.

If you install the source via dev mode, that avenue is no longer possible.

nice clarification @itchykitten. That's also how I tried out the extensions, by directly installing them from their respective github repos.

This is some serious work and I particularly love the slider for the minnows below 500. Would have installed it in a heart beat a few years ago, it's just that now I would rather be safe than sorry. It's not you , it's me wanting to be ignorant about this , being a noob when it comes to source codes and all that . .
I see that everyone is trying to create these extensions now.
I read about some that mine crypto through your browser ..

You're right to want to stay safe. SteemPlus is now available on Github and I explained how to use the current version in developer mode here.

Vigilance is always of the utmost importance. Thanks @alexpmorris for another informative post! : )

This post is a fortuitous reminder as we were just talking about wanting a resteem filter on the music and money show today. Think I may finally need to implement this on my browser.

Thanks Alex!

hey no problem @scaredycatguide, also still gotta "stop by" your show one of these days! lol :)

I'm amazed how much incredibly talented developers this community has

Awesome worth reading post with a lot of information for witness helping. Can i resteem it? @alexpmorris

A very good post. With photos, writing style, and useful of course. I am very pleasant. Your post matches with many upvote

I am with @ironshield,
I am a non tech,and really like that I can see these thing w/out the mumbo jumbo page hopping.
Can the other extension work in combination(?)merge together?
Never used them so this is new to me..
I can't wait till steemit incorporates these features.
TY!
Namaste

Coin Marketplace

STEEM 0.22
TRX 0.21
JST 0.035
BTC 98577.14
ETH 3328.76
USDT 1.00
SBD 3.09