HiveSigner is INSECURE? - discussion and deep dive
There was some discussion about HiveSigner, and someone said it was "secure". I think its QUITE INSECURE, and I said as much. I got some pushback, which motivated me to make this post - by the way, this is how discussions happen. We can all (probably) agree that discussions are good, so we shouldn't feel bad about disagreeing.
The basic argument is, people who are not quite sure how it works, think its secure, and are sure that anyone saying its not, is spreading disinformation. Like this comment from @tibfox this morning:
Notice the use of "as far as I know". I am spreading disinformation, because "as far as someone knows", HiveSigner is fine, it must be fine, we are pretty sure its fine, because its still around, and if it wasn't fine, someone would say something.
Except whenever someone says something, we are just assured that "as far as I know", its secure and safe and wonderful.
Trust me bro
The words "secure", "safe", "valid" - they are adjectives. Technically, they don't mean much, and it might be the case that one part of an app is totally "safe", and another part completely "dangerous". We should probably define our terms, talk about the reality, go through the app - and talk about it. That is what I plan to do today. To go through all the UNSAFE, INSECURE and INVALID parts of HiveSigner that I clearly see - on my screen, right in front of my face, every time I have the displeasure of finding myself interacting with HiveSigner. These things could be fixed, and that would make HiveSigner MORE secure, more safe, and more valid.
So come along with me to "hive.vote", and once we get there - hit "login" and we are taken to this page.
For security, I have created a new account using our new account creation tool, which one of these days I will get around to announcing - I like it because I get to pick my master password, which is fun.
Now let's go ahead and use our memo key, some might say this is the least worrisome, or "most secure" key, and it is clearly recommended by HiveSigner - and see what happens.
It doesn't like the memo key - now it tells me I should use the master password or AT LEAST the posting key, whatever that means. Very safe and secure, the instructions have changed half way through. Okay, well, let's try that posting key then. According to the page we are using, HiveSigner just wants to "see our current account username". Super safe and secure experience for users.
So we go back to our txt file and copy the private posting key, put it in and we do get to log in to hive.vote. I tested the owner key, it actually does work to log in, as well as the master password. They work to log in with! Just the memo key is a lie, on this page.
So now we are into hive.vote - the only autovoter left in our ecosystem, and we have this wonderful message:
Very cryptic stuff, but this article is not about how hive.vote is garbage, but we must once again use hivesigner to add "posting authority". Now you can do that here https://thecrazygm.com/hivetools/account/authority, if you have Keychain browser extension or Keychain Mobile App, but assuming we don't have that, let's try to use HiveSigner again.
The trick is here, that changing authorities, even posting authorities, is an active key transaction. Let's see what HiveSigner says:
This was actually a pleasant surprise to me, I believe this has been updated since the last time I raged against this app, but it correctly informs us that we will be required to put in our active key (since we have only logged in with posting key).
While playing around, I also confirmed that if you log in with owner key or master password (probably active key too), it will just let you click authorize. We can assume that these things are "just" stored in our browser cache, since I was able to delete them (which by the way is NOT a secure place to put keys unencrypted, anyone remember the recent Leo fiasco with browser stored keys?), but its also not really a great idea to assume things about key management either.
So now I hit continue and get....
Hmmmm, this is not quite expected, a little unclear, but I guess we need to "Add another account"?
Welcome back!
And we are back to our good old friend, the "add any key to get scolded" page. Sure, we were told that we would need "at least" the active key (by the way, I don't think four different keys are necessarily in an order, or if there is an order, its somewhat subjective), but once again we are being recommended options including MEMO KEY (which never works for anything) and Posting Key - which we already know is "not enough", and won't work.
So for fun I added my Owner Key, and we are taken back to the option to authorize the app.
Once we click authorize, we are quickly flashed a screen that explains we have given posting auth to 'steemauto', and redirected back to Hive.Vote.
I was a little surprised that I could sign authority operations with owner key, but I guess it is possible, so I am learning something today. After all, its THE FIRST recommendation of HiveSigner (but at least it works, unlike many of its other front page instructions).
What's in the browser?
So by navigating around in my Opera GX browser, and learning a few things along the way, I was able to find my private Owner key in the Local Browser storage. I am actually not sure how secure this is, so I just asked google, here is what google says:
Tell me I am a crazy disinformation spreader, but suddenly I don't feel like "trust me bro" "as far as I recall its secure" is a good enough answer; I don't feel safe or secure - in fact, people also ask:
@good-karma?
I want to be clear, I like (and "trust") @good-karma, who (as far as I know), is in charge of making sure HiveSigner keeps working, as a legacy piece of software. And he has done that. I don't think he is phishing keys or in any way would host or build something that would actually BE an attack vector. But that doesn't mean that this piece of software he inherited is GOOD, or safe, or secure or valid.
HiveSigner - in my humble opinion - is not only confusing and uncomfortable, based on my deep dive today - seems literally INSECURE, and UNSAFE. Please stop insisting that it is safe and secure because someone told you it was.
And since I did reveal them here, I guess I will go ahead and change my keys now, using our amazing, and actually safe and secure, best key changer for HIVE.
Go ahead and let me know what you think, in the comments below.
Storing private keys in local storage definitely not secure.
In my opinion, the fact that the app encourages Owner key or Master password just makes this worse.
terrible! hive.vote is probably one the most used services on Hive and doesn't have keychain integration.
great job testing it! I never use hive signer, even though I never did this research, I never trusted it. and it's one of the oldest sign in options still accepted by all frontends?
View more
Thanks for the deep dive! I'm not technical savvy security wise, but I never felt that confortable on putting my keys in hivesigner. I would love to have a similar app to hive.vote with decent UX and buffed security... let's see if it comes true one day!
Hola feliz tarde, antes que nada esta muy bueno el post, y creo que en su contenido, demostraste las razones por las cuales dices que es inseguro.
Yo realmente no lo uso mucho, ya que se me hace confuso y con poca información para los usuarios, solo lo use en Hive-vote y creo que un par de veces para apoyar unas propuestas.
Pero, en realidad, demuestras que tienes razón en el planteamiento que realizas con respecto a la seguridad de la aplicación.
También quiero aprovechar, para darte gracias por las dos herramientas que recomiendas, la del cambio de claves y la de creación de cuentas.
Me parece un post, bien informativo, que educa al usuario y le explica de manera simple, algunos datos que no se conocen en el área de seguridad de las aplicaciones.
Lo mismo queda claro, para el resguardo de las claves, ya que hay muchas personas que las usan en el navegador y eso suele ser muy peligroso a la hora de un hackeo.
Me parece muy buena y educativa la información, muchas gracias.
Hello happy afternoon, first of all the post is very good, and I think that in its content, you showed the reasons why you say that it is unsafe.
I really don't use it much, since it gets confusing and with little information for users, I only used it in Hive-vote and I think a couple of times to support some proposals.
But, in reality, you prove that you are right in the approach you make regarding the security of the application.
I also want to take this opportunity to thank you for the two tools that you recommend, the password change tool and the account creation tool.
It seems to me a post, very informative, that educates the user and explains in a simple way, some data that are not known in the area of application security.
The same is clear, for the protection of the keys, since there are many people who use them in the browser and that is usually very dangerous at the time of a hack.
I find the information very good and educational, thank you very much.
Este post fue votado desde Ecency.
!HUESO
!ALIVE
!LUV
Here's a hot take: People who use autovoters deserve to have their keys compromised :P
Congratulations @ecoinstant! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)
Your next payout target is 36000 HP.
The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPYeah, that's not good. I try not to use HiveSigner if I can help it, but it's sometimes not an option. This is definitely worrisome. 😁 🙏 💚 ✨ 🤙