Warning to users using third party applications - Be extremely careful providing your keys to anyone or any site!

in #security4 years ago (edited)

I recently posted two articles on how to use the SteemConnect tool to create new accounts on the Steem blockchain as well as how to delegate SP to another user. SteemConnect is an amazing tool, and I am extremely thankful to the Busy.org team for providing the community with these awesome features =)

@sneak (Employee of Steemit, Inc.) commented on one of the posts with a warning. I am very thankful that he did, because I did not include sufficient warning in my posts for users to be extremely cautious when providing their active key to another site. I took for granted that the Busy.org team is a highly trusted group of people, and it did not even occur to me to warn people.

Let me make this clear, I am not saying that users shouldn't trust their keys with Busy.org and the SteemConnect tool. Personally, I have used their tool and will continue to do so. It is not without risk though - I am opening up my account to the possibility of being hacked. Users need to be aware of the risks and decide for themselves what is appropriate to do with their keys, and who (if anyone) to trust them with.

Here is some advise on managing the security of your keys:

  1. First of all, if you have not already saved and backed up your account password (owner key) somewhere safe, where it would not be destroyed in the event of a hard drive crash or fire - DO IT NOW. There truly is no way to get into your account and access your funds if your key is lost. Any money that you have in your account would be gone forever. You need to save this key.
  2. If you still have not saved and backed up your password, please stop reading this post and do not continue reading it until your password is safely backed up. (Seriously)
  3. Never, under any circumstances, give your owner key to any other person or third party website unless you trust them with your life. Anyone who has access to your owner key would be able to steal your entire account and everything in it. There really should never be a reason to do this unless you want someone you fully trust to have access to your account in case something happened to you or your keys. Even then, it is questionable.
  4. Be extremely careful with providing your active key to any other person or third party website. Anyone with access to this key can basically do whatever they want with your account, including stealing all of your money. You could still recover the account with your owner key, but any money they were able to transfer out would be gone. You should really trust anyone or any website that you are providing this key to. You are essentially giving them full access to your account. If you wouldn't trust them will full access to your account, then don't give them your active key.
  5. You should also be very careful when providing your posting key to any other person or third party website. Even though they would not be able to take any of your money, they can still use your voting power, post things on your behalf, and act as you on the blockchain.
  6. Even if you trust a person or website with your key(s), you also must trust the security measures they have in place to protect your key(s). If they get hacked and your key(s) gets stolen, then the hacker will be able to do whatever they want with your key(s).
  7. Do not use a key with higher authority than what you need. Example, if you are just logging in to post, vote, and comment - do not use your active or owner key. Use your posting key. If you are transferring funds, do not use your owner key. Use your active key.
  8. If you have provided any of your keys to a person or third party website that you do not fully trust, it is recommended that you change your password here: https://steemit.com/change_password. This process will generate new keys for your account. Before you click the button to change your password, be sure to save and backup your new key. Please re-read points #1 and 2.

The bottom line is this - if you provide any of your keys to another person or third party website, you are giving them full access to do whatever those keys are allowed to do. If you do not trust them with the authority that the keys grant them, and their ability to protect them from getting hacked/stolen then do not provide them with the keys.


Be extremely careful with providing your active key to any other person or third party website. Anyone with access to this key can basically do whatever they want with your account, including stealing all of your money. You could still recover the account with your owner key, but any money they were able to transfer out would be gone. You should really trust anyone or any website that you are providing this key to. You are essentially giving them full access to your account. If you wouldn't trust them will full access to your account, then don't give them your active key.

It's not just trust in the service to not steal; it must also be trust in their ability to fend off a server or credential compromise.

I could trust the busy guys 100%, but if they get hacked through no fault of their own, any keys I provide to their site are just as stolen (by whomever hacked their server, in this hypothetical scenario).

You can't be too cautious here.

Can we start using local clients yet?

Thanks @sneak - great point! Post updated.

I don't mind giving out my posting key to an app.

My active key, well... only to the site I use to post steemit articles to...

My owner key, that's in safe keeping. I never give that to anyone. If I had to really use it, I think I'd rather run steemd and sync to the blockchain myself.

@timcliff and @sneak i am having a problem with exactly this issue.

I gave my active wif to streemian yesterday, before i really understood how powerful it was. Streemian misrepresented and said they could not acces funds with it.

Now i want to rescind all of the permissions but i have reset my master password twice - and checked to make sure it also reset my active wif, BUT STREEMIAN STILL HAS THE SAME PERMISSIONS.

I don't understand what's happening and all efforts to contact streemian and @xeroc, with no responses. Streemians permissions removal app is not working.

There must be some way for me to remove wif permissions, but i dont know what to do.

More details here: https://steemit.com/steemit/@dber/need-help-i-think-streemian-is-procuring-active-wifs-from-new-users-under-false-pretenses-2017616t93220644z

It looks like you actually setup new keys for these services to use. You did it with two different services. At least based on what it shows there it does look like it is posting authority only, but I have no way of knowing if you gave them access to owner authority as well.

You should ask for help in the #streemian channel of Steemit chat. There should be users there who can walk you through the process of removing their authority from your account.


Thank you so much for responding - this issue is coming up hard against my slowly receding ignorance. How dod you see this information? Through cli wallet?

Also i definitely didnt give them the master password - and i have definitely changed the active wif twice now - is there any way they could still have owners permission after that?

Also, checked out the #streemian chatroom and there are a few people asking to leave and no answers from streemian.

Steemd.com/@accountname. I doubt it, but I cannot say for 100% since I don't know what was actually shared/done.

I gave streemian my username and my active wif.

Then I changed my master password twice.

That's the extent of it.

But the chatroom has no responses from streemian people and @xeroc is not responsive, and the emails to streemian are not returned in about 48 hours.

The fact that they request the active key at all, in hindsight, seems unecessary. That they says right above that that they cannot access your money, even though you've given them the active strikes me fundamentally false... though perhaps I'm missing something.

As far as I know you should be good if you shared your active key, and after that you changed your passwords and confirmed that your old active key no longer works.

Hmm - I definitely changed my passwords, but I didn't have the old active key written down.

I went through and found the actual transaction and update notice from streemian:


Then found only one other update:

update 2.png
That's all I can see as far as updates go, and neither seem to add any authority to the active or owner slot. This doesn't alleviate my concerns that they are collecting active keys, but if I changed my active key twice, that original should no longer be useful if I'm understanding correctly.

Hey, if you would like to revoke posting authority you can use this page: https://v2.steemconnect.com/revoke/@streemian Let me know if that worked for you.

Hi, thanks for link, how to confirm was it successful revoking?

thanks a lot! ive spent 2 hours trying to do this lol

good information to have on hand

Like you said, people should be aware of the risks involved and know what they are exposing themselves to. In the cyber world, nothing is completely secure and having your keys in the possession of another definitely brings risks.

I think you've thoroughly explained to people the risks involved with using third party software and anyone who reads this will know how to secure themselves against such risks and also know what they're getting into by using third parties.

At the end of the day, it's a personal choice, but educated decisions are always better. Thanks for sharing!

P.S. I don't use third parties... I even find it hard to trust my browsers! I'm just paranoid like that :)

Another thing to be cautious of is using Chrome Extensions that interact with Steemit.com. Because the keys we use are on the DOM then an extension could get that information if it was designed to do so. I am not saying they are bad and in fact I made one here. Just use caution.

However, this idea is not something new. Any software that you install on your computer has the ability to get certain information. An example would be software like 1Password Technically you have given them all your passwords to store for you and there is nothing stopping them from using any one of them. It comes down to trust and just being aware.

Just think and research before you do anything. Make sure it is an informed decision.

It's good to raise awareness about this as there are people who do not realize the exposure they are taking on. I'm ok with sharing posting key with busy.org as I have faith in ya'll, but haven't shared my p/w info anywhere else.

I believe the SteemConnect tool stresses that your active key is not actually given to them and never leaves your browser, though I could be wrong. I also don't have the tech chops to verify this claim but I'd hope someone with a security background could do so by reviewing the application.
SteemConnect is attempting to be the trusted authentication tool to avoid having to give your keys to any sites that are built on the Steem blockchain, and we definitely need something like it.

I've been developing SteemConnect2 tool and I can confirm that WIF or password never leave user browser. Password is directly turned to WIF and just used a single time to create a signature for broadcast an operation. The code is open source and can be reviewed here: https://github.com/adcpm/sc2. At the current stage it still require you to trust Busy team and that our server not get corrupted. We are working with Steemit inc to address these concerns with code reviews and official hosting.

The fact that it doesn't leave your browser is not something that you can rely on. If they get compromised, it doesn't matter whether it goes to the server or not - the same code that keeps it in the browser today comes from that server.

In event of a compromise, it could just serve you code that uploads your keys. How it works today is irrelevant to the security model.

PS: we are actively working on SteemConnect 2 to address this issue of risk and trust.

Wouldn't a local browser solve everything?

Yes, I have heard something along those lines too - thank you for pointing that out. That is why I do still trust it. No matter how much is done though, there is still some level of trust that when you click the button the tool is behaving the way we expect it to. You can never be too careful they say :)

I had no idea people were even sharing keys, seems like just common sense that you shouldn't do that. In the world of cryptos, even well established companies with a good rep have ripped people off, keep private wallet keys for your eyes only when using anything to do with cryptos.

@purpleprose ::))) same here , when I read this I was like "" huh ? " because to me that would be like given out your pin number to your Debit card . but Each to there own ::))

The pin and the card to your mother, so she can pick you up something. At the end of the day it is someone you trust.

Like cryptsy and mt. gox?

They are not family, they are businesses that are profitable now, but may not be in the future. Experience has shown us that a lot of crypto companies exit scam when they run into trouble. Do we really need to keep learning this lesson?

Btw I'm not accusing anyone of anything, it's just bad security to share private keys or even to keep too much money in trusted places like Coinbase or Poloniex.


Thanks so much for your advise.

One question: if I generate a new password and update it, does it means that all my keys including owner, posting, active etc will be changed?

I had given my private key to someone when I was yet to know how important is these keys.


Resteemed and Upvoted!
Thank you for such indepth article. Too many times we are trusting wrong sources. In that case to avoid any breach, it is wiser to not trust anyone.

This might sound stupid but is your password (item #2 in your post) and your owner key (item #1 in post) the same thing?

Yes, although actually when you are logging in to Steemit.com it is actually better to be logging in with your "posting key" rather than your "password".

How do I find out my posting Key? I'm not seeing it in my settings or FAQs, and I didn't create an account using FB or reddit.

Go to your wallet page and click the "Permissions" tab.

helpful to know - thanks for your help man!

Also, the keys you see are probably the public keys. Most likely you will need to click the button to the right of each key that says "show Private key" in order to see the private keys. It is the PRIVATE keys that you will be using to log in with, NOT the public keys. I suggest copying and pasting those private keys to a text file and saving the file on a memory stick PLUS printing it out as well in case of memory stick failure. Another thing to be aware of is that a q can be mistaken for a g.

Thanks for sharing this post and spreading awareness. Also, I have come across some posts where people mentioned about sharing their keys in the memo while making transactions and some even shared the screenshots of their keys. Hope this reaches out to them and they update their keys.

Many Thanks @timcliff

You have been PROMOTED FREE for using the "security" TAG (hashtag)


thank you for @timcliff

It is very important.

Nice advice, I just realize that active key is so important, also for master key, I have saved it in three different places with a secret password to protect it. :)

Anyone who is reading this article might find this helpful. Protecting your coin is critical. I have learned to always secure private keys offline when possible, and have provided a guide to help give people the right conceptualization of security. https://steemit.com/steemit/@extrospect/how-to-protect-your-cryptocurrency-invests-a-fundamental-guide

What would be the safest way to save our key?, what do you recommend?

Burning a copy on a CD is good, because it is hard to corrupt. I also recommend printing it out on a piece of paper, then putting both in a fireproof safe.

Sounds good! :)

When I asked Golos for the first time I immediately changed my Steemit password! Great info. Seeing some of these huge account values freaks me out. All could be lost with one mess-up.

this is great info for the newcomers here. My wife just signed up, and i told her to save her password..and she's say "now?" i say "yes, now..you have too!" haha.

@timcliff ::) Thank you for updating us on safety grounds . myself personally don't trust 3rd parties at all . Nothing against Busy.org. maybe I should check them out . but I really do appreciate you looking out for your Steemers :))) I upvoted and Re-steemed for you ::))

Thanks!! Really Helpful . do sharing posting key is also unsafe . (Private posting key )

Yes, sharing your private posting key has risks as well, which were outlined in the post.

Thank you for the detailed information on this. I am still confused about the public vs private key situation and am going to read more. But I feel like I have a better understanding of potential risks now.

thanks for sharing

Thank you soo much for sharing.

Too many keys confuse some people.

Good point. I agree with that. For people who are not used to using 'crypto' on a regular basis, even keeping track of the one password is hard.

@timcliff providing safety tips for the community. Bravo!

I do appreciate this warning. This does bring up something else though. We are hoping steemit will be adopted by the masses. But, can you really expect everybody who currently uses facebook to get used to these long active keys? I think in order for mass adoption, steemit is going to have to come up with some other way to do this.

Of course, it is steadily growing now, so who knows.

Yes, it is something to consider. There is a trade off between convenience / ease and security.

i just realised all my password saves are on my computer - i better back up to hard drive now

Thanks for this post! Incredibly important to continue reminding people that their keys are a direct access to their hard earned Steem!

Thank you for let us know. I will re-steem this post.

resteemed :)

thank you for bringing out the security issue for all of us. not all of us is good at high tech kind of things better be safe. (just like me)😃

Thanks good to know. While I don't think I'll be using this for a while it helps to have the info on board...

The US GOV is someone else you can not trust they will take anything they want and call it anti terrorist activity. I backed my key up on a Trezor, and a thumb drive in case the computer crashed or something crazy happens, like the US GOV confiscating my computer at the airport or something

Great article. I'm wondering about apps like eSteem, and their potential for hacking: are they safe to use? Do you think that they are the future of Steemit? It seems to me that an app is necessary in this current climate.

I am not really in a position to say. There are a few projects (like Busy.org and eSteem) where I trust the developers themselves, but it is impossible to know how good of a job they are doing with their security.

Generally sharing your posting key with those apps isn't super risky, because they cannot take your funds - but someone can still do a lot of damage with your posting key..

Steemit, Inc. is planning to add support for third party apps via a tool that they will host which will manage users keys. Once this is done, this will be the 'officially supported' method for third party apps to handle users' keys.

loved ur article timcliff, have u heard of sick building syndrome I think this article is important https://steemit.com/health/@whitedolphin/is-your-building-making-you-sick#comments

nice post sir .... really informative...
plz check this post as we steemers dont get much recognition ...

Got ur point... Thnks... Its better to continue the way it is going then to expect anything from people like you

Thanks for the great info.

Yesterday I opened an account in Streemian. and I was asked for the active key. Why do they need the active key and not just the posting key, like @chainbb, for example?
I believe Streemian is one of the central applications in the Steem community, so I ended up entering the keyword. Perhaps I should have asked them first by email.

Is there a way to change the active key, or the main key, in case one has doubts like these?

You should ask them to explain what it is used for. My understanding is that it is a one time thing to add a new posting key to your account. You can change your keys to get a new owner key. Just make sure you properly save your updated key information.

thank you for your quick reply. I´ll do that.

I'm sorry I missed this post during the voting time, but I wonder if you'd answer a question - this is the first explanation I've seen of these keys that seems to make things very clear (thank you!). To clarify - are you saying that we should login to steemit with the keys rather than our password? I've never heard that or realized it was a possibility!

It is best to only login with your private posting key, and then only use your private active key when doing STEEM/SBD transactions. Your password/owner key is best to only use if/when you need to change your password/keys.

Thank you! So...is there an easy way to enter the long string of letters/numbers to login? (I imagine saving them in the browser or whatever would be defeating the purpose?)

I have them stored electronically in a text file, so I can copy/paste. You can keep it on a burned CD or flash drive so that it is offline when you are not using it.

Okay, thank you!

thanks, that was helpful!