Were you afraid of Streemian like I was/am??

joel-wandimi (36)in #streemian • 7 years ago

I was afraid that Streemian.com was another phising site. I mean, they are a third-party app/website after all and I had just submitted my steemit account information to them, worried that they would steal some of my account value once it had accumulated to considerable levels. I even thought of the worst case scenario where they would collect account information from different people and wait for the right moment to steal their steem, so to speak. When the streemian website seemed to have become non-functional, I almost panicked. I contemplated opening another steemit account because my first one had been compromised. After all, I thought, my account was fairly young and I had not invested too much time on it.

However, after studying a bit more about streemian, my fears were reduced significantly. I learned that Streemian does not have access to its users’ funds because of STEEM’s secure three permissions system. Every STEEM account is underpinned by three permissions. These permissions are the owner, active and the posting. Posting is used to enable the user’s password, their cryptographic key or another user to post using the particular account. The streemian app only makes use of the posting permission. This permission grants streemian the ability to post and vote using the subscriber’s STEEM account. The user also has the permission to detach the streemian account from their STEEM account.
Hold up! There is a catch. New posting permission can only be attached to the STEEM account if the transaction has been enabled using the active key. Streemian requests either the user’s STEEM password or active private key. This part was my biggest concern. This key enables anyone to get access to the key owner’s funds. There are some factors that prevent the funds from leaving the STEEM account.
• First, the streemian app is an open source app. It May be reviewed by clicking the banner at the top.
• Secondly, the streemian app is downloadable. The user can download it fully and run it locally via github releases.
• Thirdly, the user’s private key does not leave the browser at any moment. The app does not facilitate the retrieval of the password and private key from the browser. Indeed, the transaction to change account occurs and is signed within the browser. There is no further communication that happens other than collecting the account data as well as broadcasting the change is needed.
• Fourthly, no storage of passwords or private key happens.
Do these factors douse my fears about the Streemian app? Hmm.,. What do you think? Let me know in the comments section.

#security #curation #phising

7 years ago in #streemian by joel-wandimi (36)

Sort:

stbrians (54) 7 years ago

Quite informative

$0.23

1 vote

[-]

cmbugua (47) 7 years ago

I have checked the site, really great project, but that using you private key part still scares me abit, point 3

How can I access my account using Steemit.com? Since steemit.com won't let you login with the account if it has the owner key associated with it you can do to access the funds of your account like this: 1. Get back to the paperwallet generator 2. Provide the account name and password to derive the keys 3. Pick the active private key (starting with 5) of your account 4. On Steemit.com, login with the username username/active and the private key from 3. as password 4. It should be possible to do the same thing with the posting key aswell, except that you won't have access to your funds, but can post, vote, and comment

But i can see it's possible to set up the voting, posting permissions and do for funds later or when need be, but one needs to tincker with it first.

$0.00

[-]