You are viewing a single comment's thread from:
RE: A hole in the Blockchain: Steemconnect? (Please take the time it is important)
Thanks, I am sure they will see it immediately. I actually threw @exyle the post in chat and asked him to tell you I mentioned you also. I guess it will go the other way around :)
Basically though, when logging into some of the app services they will be able to post as you without any way to know it was them and not you. That is a problem for many people and many future people.
Yes, I understand that part.
I called him on the phone. He is not at home at the moment, but he promised me to look at it. When he heard the name Steemconnect he said something like: " oh I think I understand the problem. So I hope he will contact you soon.
I asked one of the steemconnect developers directly and there is indeed no way to differentiate between you and the app you gave permition to post/follow/upvote etc. on your behalf.
The only noticable thing could be that the follow happens 3 times in a row as you can see on this page
https://steemd.com/@tarazkp?page=72
Below link would be one of the actual transactions (you get there by clicking on the number on page 72 so you can see the actual transactions.)
https://steemd.com/tx/e68f71445e56b33c142202b4d77d498eed7569ef
Apart from it being a douchebag move, you DO give them permission to do so when approving them through SteemConnect (it's not a steemconnect issue btw)
I realise that the douchery is not Steemconnect but without any way to tie the transaction to the douche, it enables more douchery.
Thank for the info. In my opinion, there should be a flag marking the app responsible. If they had followed child porn instead of themselves.. what then? What if another app with permissions used it to false flag a rival app?
I think the problem is that there are currently no ways to distinguish the difference between you or the approvee ... it is as if you yourself instigated the transaction ... it would take a modification of the steemcode i suppose to add hooks or flags to see if the post is 'on behalf of'
yes, well HF20 isn't done yet.
fair point. Let's hope this get's noticed. the more holes that get plugged over time the better.
Hi @eqko, this is not fully correct. steemconnect has posting authority on the account, but they use their key to sign transactions containing actions in your name. From this signature you still know if the operation was signed by your or by steemconnects private key.
The problem in this case is that steemconnect itself has posting authority on the app accounts authorized by the app users and they uses the steemconnect key to sign transactions. So you know that it came via steemconnect, but you can't tell for sure from the blockchain data which of the 3rd party steemconnect apps it was.
and where would you see this signature key ? I assume it’s in the transaction. How would you cross reference the signing key with the owner ?
the fact that it would be probably to’ve been signed by steemconnect instead of the user would already go a long way I suppose
This is the transaction from the example here:
https://steemd.com/tx/4ca0e947aaf443ef604c268ecb0c16d9630352c0
You can see a line "signatures" with a lengthy string. By feeding the this whole operation including the signature as a JSON string in for examples steem-python's transactions.verify() together with your public key, you'll know if it was you.
So it's all pretty technical and not easily visible , but at least it's there :/
Ok that sounds at least like it’s traceable and therefor (as OP was looking for) probably that at least it wasn’t himself that instigated the follow transaction.
yes, it wasn't him, it was signed by steemconnects private posting key.