[security] Misuse of Steemconnect login (shouldn't ask active key for every login)

in #utopian-io6 years ago (edited)

Repository

https://github.com/steemscript/steemconnect

I've filed the issues on Steemconnect: https://github.com/steemscript/steemconnect/issues/365

Components

  • Steemconnect login process


"Security is key for the Steem ecosystem."
- SteemConnect 2.0: Easy, Fast, Efficient Access to the Steem Blockchain by @steemitblog

This is a very important suggestion for Steemconnect key security for login process, relevant to all major dapps (e.g., busy, steempeak, esteem, partiko, dpoll, steemhunt, tasteem, ntopaz (artisteem), etc) that have functions such that users can post or vote in the app.

Steemconnect login should use posting key (instead of active key) for logins after the initial authorization process. If active key is stolen, then all of your Steem and SBD can be stolen, and powerdown can be initiated. Login shouldn't require active key again and again.

Proposal Description

Background

Except for steemit.com, which is the official front-end that most people enter their keys with confidence, Steemconnect is the most popular way of authorization and login for Steem dApps, e.g., busy, steempeak, esteem, partiko, steemhunt, tasteem, ntopaz

Let's say someone offers a new Steem-based app that requires your key. Then you'll be hesitant to enter even your posting key.

That's why Steemconnect is so popular. While there is still some trust/security issue, basically we believe this open-source authorization method, supported by Steemit Inc.

To use it, we first need to authorize our posting right to each app. For instance, to use busy.org, the posting right should be authorized to busy.app as follows:

To use Steemconnect as login/authorization method, we need to give the posting right to each app.

This is to avoid entering your posting key every single time for transactions that requires posting right, e.g., commenting and voting. This is absolutely fine, we've already decided to trust Steemconnect by authorizing the posting key to them.

What's the problem then?

active key for every login after the initial authorization -> wrong!

Most dApps still require active (or higher level) key for login after the initial authorization. I initially thought, for instance, Busy, that it might be for removing further verification for transactions that require actice key, e.g., transfers/powerup. But those transactions require users to enter active key again! Which I believe it should! I mean saving active key right is too dangerous. So requiring active key again when login isn't clearly not for saving active key right. Then why?

It's just because they use the same logic for every login! Since the apps require transactions such that comments/votes, the app is asking posting key right authorization again! which require active key!

This is an obvious misuse of the keys. By authorization of the posting key to the app, the app can do (on behalf of you) whatever you can do with your posting key, e.g, voting, commenting. That's how Steempeak, for instance, can do scheduled posting even after you log out! Because the app already has your posting right. So what they actually need after the initial authorization process is only the verification of your identity which can be done with posting key.

Of course if you're using your personal computer, then Steemconnect login session can be saved so that you no longer need to re-enter your active key. However, if you use different computer/phone/browser, or your session is somehow expired, then you need to enter the active key again!

I truly believe that this is quite dangerous and misuse of key rights. (I'd even like to call this is a security bug, but everything is working (with unnecessarily stronger key), so others may not agree with this.) With active key, hackers can withdraw your money, powerdown, etc.

Users should be able to log in with posting key!

After the initial authorization, users should be able to log in with their posting key.

Is that even possible?

Some people may think this is impossible. Some people may believe it's possible, since steemauto actually requires only posting key for login after the initial authorization. But steemauto itself doesn't have a function for users to post or vote in the app, some of you may still think this might be impossible. But do you really think it makes sense that steemauto can vote and post (by schedule post) even without your login, but steemauto requires your active key when you want to vote and post when you're actively log in (of course, hypothetically)? This really doesn't make sense.

For those who still don't believe that it's possible to log in with posting key, I'll show a workaround in the Mockups / Examples section. Thus, the job needed is to allow log in with posting key for the app that is already authorized with posting key.

Why is this happening?

I don't know, but maybe Steemconnect may not have a proper way to do this (except for the workaround that I'll explain), or maybe the document isn't good enough, so even if there is a way, they misguide dapp developers so that apps are requesting active key again and again. Busy is a good example, since fabien at Steemconnect used to work for Busy, so we can expect that Busy is using Steemconnect in the right way. But, unfortunately, Busy also requires active key. As far as I test, all apps where users can vote and post with the app require active key.

Mockups / Examples

Initial Authorization

typical Steemconnect dialog for login (e.g., Busy)

As it says, it requests you to authorize your posting right to the app, so if you continue, you'll see this.

you need to enter active key to authorize your posting right to the app.

Again, this is fine and necessary for initial authorization!

However, after that, say you use a different browser, or Chrome's incognito mode or such, then you see the same dialog and you are asked to enter your active again!, which it shouldn't be.

Workaround

One workaround that I have found is as follows:

  • First, make sure that you already authorized your posting right to an app, e.g., busy.app

  • Use a different browser or incognito/private mode to make sure you're not using the previous session. (If you're curious, try to log in Busy, then you'll see you need to enter active key again. But don't log in so that you don't save your session again)

  • Log in some app that only requires your posting key from the beginning, e.g., @steem-ua is such a good example. https://steem-ua.com/ has a function to show your UA score that requires login with your posting key.

    https://steem-ua.com smells like they'll only check your identity.

    which is true that they only require your posting key.

  • Now go to Busy.org then you'll use your saved Steemconnect session which you only entered with posting key as follows.

If you click this (I mean yours), you can use Busy without any problem. Why? Because you already authorized your posting right! Why twice? Why every time? This workaround is the proof that you should be able to log in with only posting key afterwards.

I'm also a developer, so I also tried to resolve this problem on my own. Which key is needed depends on scope for instance, scope=login requires only posting key, as in steem-ua,

However, if I just change the url with scope=login, i.e., if I log in with the following url:
https://app.steemconnect.com/oauth2/authorize?client_id=busy.app&redirect_uri=https%3A%2F%2Fbusy.org%2Fcallback&scope=login

then it allows me log in, but I can't do vote as follows.

Basically, Steemconnect only provides the rights you request (login, in the above case) even if you already authorized your posting right to the app. This makes sense, since there can be such a use case. So I'm not saying this itself is wrong. But the main point is there should be a way for users to log in only with posting key after the initial authorization.

Benefits

If active key is stolen, then all of your Steem and SBD can be stolen.

Using active key for login can be extremely vulnerable on public computers. As you know, a private key isn't something that a human can memorize, so users most likely use copy&paste from another source. By doing so, you have to protect that another source securely, but many people don't. So apps should be able to use posting keys for login after the initial posting right authorization.

Due to this problem, I've never logged in on other computers, since I don't want to enter my active key on unknown machines. Hope this problem will be resolved soon.

GitHub Account

https://github.com/economicstudio

Sort:  
Loading...

Hi @wehmoen, thanks for your comment.

I also posted a workaround here if you're interested: https://steemit.com/utopian-io/@blockchainstudio/steemconnect-login-with-posting-key-instead-of-active-key

Eventually, unless app requires background work(autovote, scheduled post), steem keychain is the right way. Unless SC3 provides something very cool, it'll be quickly replaced by keychain. Thanks!

In Korean: 이건 제가 보기엔 좀 심각한 문제인데 busy등 steemconnect를 사용해서 해당 앱에서 직접 포스팅을 하는(즉, steemauto등 제외) 경우 한번 포스팅권한을 부여한 후에도 계속 active key로그인을 요구합니다. 이를 피해갈 꼼수가 있기는 한데 꼼수를 다시 한번 떠 꼼수를 부려 당사자 앱에 적용하면 안되는 것으로 보아 스팀커넥트 자체가 해당 기능을 제공하지 못하거나 하더라도 방법을 잘 안 설명해놔서 다들 잘못 사용하고 있는 것일지도 모르겠습니다. 전자일 확률이 높은게 fabien의 경우에 원래 busy에 있다가 steemconnect로 간 경우인데 busy부터가 잘못쓰고 있다면 너무 무신경한게 아니라면 말이 안되니까요. 꼼수라는 것은 예를 들어 steem-ua.com같은데 가서 랭킹 확인을 위해 posting key로만 로그인하시고 그걸로 busy에 로그인하시면 포스팅키만으로도 로그인이 가능해지고 사용에 아무문제가 없습니다. 즉 당연히 되야 하는건데 현재로써는 매번 액티브키를 넣게 되어있네요. 물론 세션이 저장되어있으면 계속 쓰면 되지만 새로운 컴퓨터에서 접속한다던지 할때 정말 문제입니다. 저는 심각한 보안 버그라고 부르고 싶을 정도로. 이전에 @anpigon, @jacobyu님과 해당 이야기를 나눈적이 있는데 이게 제가 좀더 조사해본 결과 내린 결론입니다. 아무튼 잘못 사용하고 있는 것 같습니다. 이 글은 되도록 아예 한글판도 간략하게라도 써볼지도 모르겠습니다.

보안보완 되어야 합니드앙~!

감사합니다~♥♩♬

Posted using Partiko Android

곰돌이가 @bluengel님의 소중한 댓글에 $0.016을 보팅해서 $0.007을 살려드리고 가요. 곰돌이가 지금까지 총 3159번 $37.938을 보팅해서 $39.402을 구했습니다. @gomdory 곰도뤼~

곰도뤼~ 무한사랑~ 💙

Posted using Partiko Android

이번 기회에 보완되었으면 좋겠습니다.

@steem-ua is such a good example. https://steem-ua.com/ has a function to show your UA score that requires login with your posting key.

This is the login scope on the steemconnect's oauth implementation, which you cannot do anything (like broadcasting transactions) with the access token you have with that flow as an application developer.

Overall, I understand the frustration, though. Steemconnect behaves like a SSO solution there, if you have already logged in with Steemconnect and already set posting authorities, it doesn't actually ask active key. (Instead just sends the access token to the app, and don't bother the user asking the keys, again)

Probably, we will have a better implementation in the upcoming version of Steemconnect.

Thank you so much for your reply. Yes I understand the logic, but as you said, you know what's my main point. steem-ua.com is an example for the workaround. If you log in steem-ua.com with a posting key, then you can log in dpoll and use it! for instance. This means that users should be able to log in dpoll with posting key (if they already authorized the posting right, of course). This is the main point.

In any case, there should be an easy way for apps to allow users to log in with posting key afterward when the session is expired, or with new browsers or whatever. Hope SC3 will resolve this problem. Thanks again!

짱짱맨 호출에 응답하였습니다.

3.1 운동 100주년을 기념하여 북이오는 "독도 - 인터넷독본"을 한시적으로 무료판매 합니다.

관련 포스팅: 신용하 서울대 교수의 "독도 인터넷 독본" 무료판매

널리 공유되기를 희망하며, 참여에 감사를 드립니다.

Congratulations @blockchainstudio! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 3500 comments. Your next target is to reach 4000 comments.

Click here to view your Board
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Do not miss the last post from @steemitboard:

Valentine challenge - Love is in the air!

You can upvote this notification to help all Steemit users. Learn why here!

Congratulations! Your post has been selected as a daily Steemit truffle! It is listed on rank 4 of all contributions awarded today. You can find the TOP DAILY TRUFFLE PICKS HERE.

I upvoted your contribution because to my mind your post is at least 8 SBD worth and should receive 160 votes. It's now up to the lovely Steemit community to make this come true.

I am TrufflePig, an Artificial Intelligence Bot that helps minnows and content curators using Machine Learning. If you are curious how I select content, you can find an explanation here!

Have a nice day and sincerely yours,
trufflepig
TrufflePig

Thanks, now maybe 160 votes isn't too much due to utopian.trail :)

So...how do we set it up the right way? 그럼 설치를 어떻게 제대로 할 수 있어요? Github에 들어가서 어떤 코드/파일을 다운해야 되나요? 알려주시면 감사하겠습니다.

Thanks. 감사합니다. 한국분이시면 https://steemit.com/kr/@blockchainstudio/steemconnect 를 보시면 될 것 같습니다.

Hey, @blockchainstudio!

Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!

Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!

Coin Marketplace

STEEM 0.19
TRX 0.18
JST 0.032
BTC 88143.93
ETH 3070.82
USDT 1.00
SBD 2.78