I dissected Streemian.com's user account creation privacy and security code live in a public chat room & found out it's all good!
Have you heard of streemian.com?
I did a live dive last night while in a crowded chat room, examing streemian.com's personal authentication mechanism, personal data privacy and personal data security code used while creating a new account there and linking it to steemit.com and good news!
It's all good.
However, some people still have questions and concerns about sharing their private active key or steemit password there.
*And that's completely understandable.
So I checked it out.
Recently in chat, some of my fellow chatters were very interested in streemian.com's services but were also expressing concerns about the safety of signing up at this third party site using their steemit.com private active account keys or steemit.com password as the only two options available to create an account at streemian.com
Somebody needs to look into this, it was decided among the chatters.
After I came to understand their concerns, I decided to check into this for myself. I promptly headed off to github.com, which is an online "repository" where open source programmers and systems developers mutually share code for open source software projects like pieces of steemit.com and other sites you use, rely on to get routine things done.
By way of qualification, I happen to have about 30 years of programming experience in my career background and I am just a newly registered account user on streemian.com. I am not part of the people who build and maintain it. This is just me being curious with some other people.
So I decided to take a look at the source code for the user authentication portion of streemian.com's javascript code as well as the source code for steemit.com's publically available javascript API client and determine some of the following kinds of things.
- How streemian.com is using your personal account keys and login information and how does it communicate with steemit.com on your behalf without putting you at risk
- If your private information is being stored or retained at all anywhere in the process
- How your data is protected from theft from the inside and outside of streemian.com
- Any advanced options to avoid exposing your keys for extra tight security
"JavaScript" code is programming code that runs on your local computer or smart device and exists only in the browser you have chosen to use, lasting only until you refresh or move away from the current page containing this javascript code.
The very first good thing to note, is that I could see ALL of the necessary code to login and create an account on streemian.com.
The next thing that's important here and once again all good, is that the code is all 100% basic javascript and thus all the code that runs while using personal information was available right in front of me and to you and to anyone on earth at anytime. Nothing was "hidden" on the server or elsewhere that I could not see and read for myself in the repository copy of the code.
I read every line of code in the fairly compact and concisely programmed little block of software used in this process and followed every logical decision juncture in the code to every logical conclusion.
Effectively I read and worked out every line of code in the stuff that would run on the account creation dashboard when you are using your personal information.
The way I did all this is a combined process of wisdom, experience, magic, coffee and cold pizza. Fueled by questions from the crowd in the chat room discussing the topic, I covered every angle and went down every avenue.
I could elaborate for quite a while on the actual technical mumbo jumbo, and if anyone wants more specifics, ask me your questions in the comments below.
In the meantime, here is how this inspection went down live.
Live impromptu, publically participated, streemium security code inspection chat log
slightly modified for easier re-readability
[2:20 AM] sircork: the login creds are encrypted in a proprietary steemit way right in your browser with js via https:**//github.com/svk31/steemjs-lib over on GitHub.com as svk31/steemjs-lib so....
[2:20 AM] interested listener 2: that sounds good
[2:21 AM] sircork: it literally makes a string of gibberish locally that steemit can speak and confirms it via a simple RPC call
[2:21 AM] interested listener 2: so its passing the loggin creds stright to the steemit JS file without sending it anywhere else
[2:21 AM] sircork: for way of reference, wordpress for example, uses this same concept to allow blogging from say, other apps and sites yeah and all this is local to joe-user's personal computer and totally safe
[2:22 AM] interested listener 2: ok with the API. thank you for checking out the code
[2:22 AM] sircork: in fact, its simple as pie, and very common to generate safe keys this way
[2:22 AM] interested listener 2: You should write what you just did in the responses to that old Streemian post. you are doing very well
[2:23 AM] sircork: yall want an example of how it works in laymans terms?
[2:24 AM] interested listener 1: Excuse me @sircork but just to be picky, but this just verifies the github version no? so if i say download it, but if i use the webform is it certain it will be the same code used there? excuse my lack of technical insight
[2:25 AM] sircork: you are correct. if you download the lib i linked and the source from the site, together, you could run this on any machine with a browser but youd have to do some path configging to the files and what not in the index file of the app and here is how it works... lets say a guy named joe and I are the server and browser and we both speak joe-sircork - a special language (the encryption method) so then you come along and tell me - right in the browser your private active key locally, so far it's typed in and any javascript will handle on your local computer only but... it will talk to streemian.com and NOT give your personal details to joe or save them but still identify you safely and securely to joe and confirm your steemit account at the same time. How? Well, via your local javascript code on your own computer in your browser which first talks only to steemit.com to check your login, same as every time you come to steemit, but in the background, and gets back a yes or no. Then your browser turns the yes it got from steemit.com into an encrypted string of joe-sircork text thus turning my private data into the secret joe-sircork language that only both joe and I know how to decipher AND joe and steemit know how to speak the deciphered contents as well and we all know this is a NEWLY generated key provided by steemit.com which is not shown in your account info but which is called a public RPC key and we use that from here on out. Your private stuff is never saved, never sent anywhere but steemit.com for one quick yes/no check and from then on, a new encrypted string containing your RPC key is used for streemian.com. RPC, by the way, means Remote Procedure Call and it uses a secret key like a password in this context. Wordpress does this to allow you control your blog from other tools for example. Or to use desktop based apps that can talk to it in a safe way. This is not all entirely exactly accurate and programmers will beat me up for that but its basically how it goes enough to explain it in layman's terms that way.
[2:27 AM] interested listener 1: makes sense
[2:27 AM] sircork: your key is turned into this garbage and send it to joe over an https secure connectionand he decodes it with his captain marval mishmash piglatin decoder and works with steemit using it's contents, which are NOT your private steemit info, but a newly salted rpc key made when you get your streemian account JUST for streemian's use on your behalf as I understand it so far. and then he checks in steemit (at steemit direct and only there). He says, yep thats the word and sends back an Ack or Fail so over the wire goes gibberish and only yes or no comes back once that is done the streemian site lets you in and never saves anything
[2:27 AM] interested listener 3: That's all fine, but how can i know for certain the website use the same code? that they don't have some extra code just there to capture the key? I don't really want to run it locally, just to be able to trust that the web version is actually the same code you just read on github
[2:28 AM] interested listener 2: you could download the source code inside your browser and compare it to github code
[2:29 AM] sircork: ok, the way you can check the site vs local version is open the browser to the page we are talking about checking using chrome or FF , go to dev tools and find the hrefs to the js it calls and click them that will open the code in your browser and its undeniable. It can't be NOT the real code and you can compare side by side with downloaded copy and given thats possible its really not even worth bothering to do it. It's "already known" it cannot be any other way if you see what i mean
[2:31 AM] interested listener 2: Got u
[2:31 AM] interested listener 3: Thanks
After this chat occurred, I noticed that during it, one of the participants suggested I blog this content.
That led to someone recommending by PM that I include some of the tags and project images to help users identify what I'm referring to in this article in general, as something they have seen around steemit already and should check out for themselves as well!
Streemian.com offers useful services to steemit users including post scheduling and other handy offerings. The PAL Minnow Support Project operates as a sort of community and club for new steemit users known as minnows and comes with many benefits to membership for our newer steemit community friends.
So I agreed to do so. I did all this research on my own personal curiosity and was not influenced before doing by anyone. In full disclosure, since doing this, I joined the #MinnowSupportProject member community and I am now a member of the Minnow Support Project club as a full blown newbie minnow with no other connection to the code I audited herein except for professional admiration for a job well done by people who did it for the community, by the community and with only the steemit community in mind.
You can learn more about streemian.com and the P.A.L. Minnow Support Project via the following link and tags:
P.A.L. Minnow Support Project
#minnowsupportproject #minnowsupport
Come join P.A.L. in the discord chat app. Just do a global search at steemit.com for either the #minnowsupport or #minnowsupportproject posting tags to find the latest information and P.A.L. discord channel invite codes.
I hope you found all of this helpful and informative.
Feel free to post any questions, comments, concerns, additional details, or content corrections in the comments below! :D
And with that, this post is finished.
Full steem ahead, steemitizens!
@sircork
PS: Thanks to @NicNas for being the participant who nudged me into finally getting this post put together and published.
PPS: I hate to put him on the spot, unnanounced, but I've been told that @xeroc is the steemit user who can best answer more detailed questions about this system
I tried to sign up for streemian today; it seems broken; at least several of it's services are not working it seems. I checked the chat; looks like maybe the last 2 weeks or so, it's been limping along. I understand it's Aug and everybody takes holiday, just wanted to point out it looks pretty busted now..
I have noticed 2 things of interest here:
a) Some people report on the #streemian chat that they have signed up; then lost access to their account. Who knows if this is true, or has anything to do with cause and effect, just pointing it out.
b) the "tool" subdomain page that asks for Active Key, is NOT an HTTPS address; and when I try to force it, it fails. Any idea why?
Thanks for any clues; I'd like to gather some input, and try to understand if this is temporary, and if the folks losing access to their accounts are just trolling.
I really have nothing to do with streemian. One night well over a month ago, concerns were voiced in chat about sharing keys with them to log in, so I went and grabbed their publically available code on github and analyzed it for "safety", which it proved to be just fine in terms of sharing keys with them and them not actually getting your keys at all. Beyond that I've never really even BEEN to streemian.com for anything at all. I have heard that over the past couple weeks, in passing, as rumors in chat, that there have been "block chain node issues" affecting many services and bots like those streemian apparently offers? To be honest, I've been focused on nothing by running my own medium sized software company and building the MSP Waves radio station 23 hours a day. I have no idea what's going on in the blockchain or with 3rd party services like this one these days at all. So, sorry, I'm the wrong guy for clues, unless you need to know when the next DJ goes live on MSP Waves :) Good luck!
Thank you for helping the Minnow Support Project out.
For your hard work: 10 SBD
You deserve more but I think the upvotes should help cover the difference a little.
Awww shucks! Thanks! I will pay it forward! And apply retro to the boost I put on this before with good old @randowhale! He's so cute, that big cuddly sea beast.
Thank you Sircork, I too created and unlocked my account with Streemian and Steemvoter last night... followed minnowsupport trail... I am still exploring how to make the best use of if... will go thru your post in detail later... many thanks for plunging into this on behalf of others.. much appreciated
You're welcome! Thanks for reading.
Here to serve: @sircork - Defender of the community, plunging the plumbing for all! :D
goodjob :)
Thank you kindly!
Hey friend, I'm so glad to see this post! I was in the chat earlier and was really confused and doubtful of the streemian. My main question was - why if they are only using voting permissions, do they not just require that key? The active key is supposed to be for transfers, but that's the one they want. I've held off on joining, even though I want to support my fellow minnows, but I really need to understand what I'm doing to feel comfortable about it. To be honest, I don't understand half of what you're saying in this post, but I trust that you know what you're talking about. Any thoughts on the active vs posting key?
Great question! They don't don't even need your active key to do anything except ONE initial thing... It requires the master key so to speak, to ask steemit.com to allow your account to give THEM the new secret only streemian and steemit will share between each other. It's not one of your account keys at all, it's called an RPC key containing an encoded. "this dudes okay with us" message inside of it.
They never even see your secret stuff. The browser talks only to steemit with what you type in, just like logging in at steemit, "in person". Make sense? It gets back the new streemian specific generated magic password and boom, promptly forgets everything your browser and steemit knew about you as soon as you leave that page.
Okay, that is starting to make sense. Could they not use the posting key to do this though?
No. "Posting" by it's very definition can only "Post" on your behalf. They needed to generate an RPC key to submit votes and scheduled posts and things via a robot that isn't you yourself. That acts like you yourself. It's a different kind of API basically, a simpler one. But it takes permission to make that individual RPC key at the master level of your account to dedicate to streemian for this purpose.
The definition under the posting key says its used for voting also. But perhaps it's the scheduling that makes it not enough?
Honestly, here's the proof I'm not an "insider" defending this app lol. I have no idea what the full range of streemians offerings are. I was in the middle of signing up for the whole Minnow Support Project when this came up in chat, and I dove in to reading code. I know all about how their login auth works, but I have far less idea what they actually sell. I just know that they cannot take over my steemit account or play with muh moneez ;) I could undo or delete anything else they could do, so... who cares? More or less? right?
Lol, well I really appreciate the research and the post, because I was not going to join until I felt good about it. I really don't understand it all, but you really seem to have checked all the bases. I assume you've joined already? My last question about Streemian is regarding being able to cancel or deregister should we decide to. In your findings, did that seem like an easy thing to do?
I joined last night. I must honestly admit I don't know about cancellation. But let's take the example there is a kill switch on your account. Unfortunately they would be storing their personalized key on their side for the operation of their services, and cancelling your account may disable your access to their site, if cancelling IS an option, but I cannot see from outside that they delete their personalized RPC key or not. Again, my position after 30 years in software though, is that is doesn't really matter. If they abused this, so many people would complain to steemit so fast that steemit would kill their RPC keys, and if they don't well, they were never malicious to begin with. Also, if they did, you'd see the activity in your account. They couldn't hide it. It's bad business and there is no valuable reason to "hack" you in the first place. Occam's razor. No reward, no reason to hack. And there is no reward available to them to do so.
I guess I'm concerned about the new secret between streemian and steemit. What will this new key enable? (I mean in a worse case scenario, not just what it's doing on the up and up). I just feel like giving it the "this dude's okay with us" all free permissions seems like a bad idea...
It's only allowed to do what the steemit rpc interface allows. Documentation of that is beyond the scope of this post. This post merely serves to confirm that at no time does streemian ever know your active secret key or steemit password.
Thanks for compiling this into a handy article! im sure there are way more people then me that stopped at the point where streemian asks for the keys or password for lack of being able to verify the code themselves... Great stuff man! :)
Thanks for your prior collaboration in the chat room, "interested party" ;)
Thank you very much for taking the time to dissect this code. Safety of our community should be a top priority!
Exactly, you are quite welcome! Thanks for reading!
I have been meaning to check out the minnow support and now I have even more reason :) Thank you for sharing. I am not a programmer, but I have spent hours in manic modes convinced that my boyfriend was hiding stuff. Ha. In any case, now that I sound crazier than I am, I just want to say good job and thank you for taking the time to share!
Thanks Rumdancer! Pleased to meet you and already know more than I should! :P I'll meet you halfway. I'm no rum dancer. I'm more of a whisky tripper! :)
Thanks for reading!
Good job confirming!!
Many thanks!
thanks @sircork Good info voted and resteemed
Thank you for reading!