You are viewing a single comment's thread from:

RE: SCAM ALERT: No witness will ever ask you for your passwords or keys!

in #security7 years ago

If you want to post once using SteemConnect then posting key is enough, but in your case you were changing posting authority which require active key (you authorized both: dlive.app and busy.app to post on your behalf).
You can see details here: https://steemd.com/@polebird
As you can see those accounts are listed under "Posting" but to list them there you had to use your Active Key.

Sort:  

Ah so they are still ok though right? As long as it’s through Steem connect? Are there circumstances we shouldn’t be providing active using Steem connect assuming that the site is requiring use of more than just the posting key?

First of all, the best approach is to treat every case of "enter your secret here:" as NOT-OK situation. Scammers always do their best to present you something that looks ok. Similar domain name, same page layout that you are familiar with, etc.
After you are sure that it's really SteemConnect asking you for a key, you still need to make sure what it will be used for.
For example you can use this link:
https://steemconnect.com/sign/vote?voter=polebird&author=polebird&permlink=re-gtg-re-polebird-re-gtg-scam-alert-no-witness-will-ever-ask-you-for-your-passwords-or-keys-20180227t054353477z&weight=1
to 1% upvote your own comment (that I'm now replying to).
SteemConnect will ask you if you want to confirm this operation (explicitly stating what it will be), or in case of an applications if you want to authorize certain Steem account @some_application.app to use your posting role (it shouldn't be asking for anything more than posting role, but as I wrote before, to authorize some app to use your posting role you have to confirm that with your active authority (app itself will not get that privilege)).
Of course there's a risk that app will become malicious, so it's not wise to authorize random apps without ensuring first that they have solid reputation.