HiveSigner is INSECURE? - discussion and deep dive

in HiveDevs29 days ago

There was some discussion about HiveSigner, and someone said it was "secure". I think its QUITE INSECURE, and I said as much. I got some pushback, which motivated me to make this post - by the way, this is how discussions happen. We can all (probably) agree that discussions are good, so we shouldn't feel bad about disagreeing.

The basic argument is, people who are not quite sure how it works, think its secure, and are sure that anyone saying its not, is spreading disinformation. Like this comment from @tibfox this morning:

image.png

Notice the use of "as far as I know". I am spreading disinformation, because "as far as someone knows", HiveSigner is fine, it must be fine, we are pretty sure its fine, because its still around, and if it wasn't fine, someone would say something.

Except whenever someone says something, we are just assured that "as far as I know", its secure and safe and wonderful.

Trust me bro

The words "secure", "safe", "valid" - they are adjectives. Technically, they don't mean much, and it might be the case that one part of an app is totally "safe", and another part completely "dangerous". We should probably define our terms, talk about the reality, go through the app - and talk about it. That is what I plan to do today. To go through all the UNSAFE, INSECURE and INVALID parts of HiveSigner that I clearly see - on my screen, right in front of my face, every time I have the displeasure of finding myself interacting with HiveSigner. These things could be fixed, and that would make HiveSigner MORE secure, more safe, and more valid.

So come along with me to "hive.vote", and once we get there - hit "login" and we are taken to this page.

image.png

For security, I have created a new account using our new account creation tool, which one of these days I will get around to announcing - I like it because I get to pick my master password, which is fun.

image.png

Now let's go ahead and use our memo key, some might say this is the least worrisome, or "most secure" key, and it is clearly recommended by HiveSigner - and see what happens.

image.png

It doesn't like the memo key - now it tells me I should use the master password or AT LEAST the posting key, whatever that means. Very safe and secure, the instructions have changed half way through. Okay, well, let's try that posting key then. According to the page we are using, HiveSigner just wants to "see our current account username". Super safe and secure experience for users.

image.png

So we go back to our txt file and copy the private posting key, put it in and we do get to log in to hive.vote. I tested the owner key, it actually does work to log in, as well as the master password. They work to log in with! Just the memo key is a lie, on this page.

So now we are into hive.vote - the only autovoter left in our ecosystem, and we have this wonderful message:

image.png

Very cryptic stuff, but this article is not about how hive.vote is garbage, but we must once again use hivesigner to add "posting authority". Now you can do that here https://thecrazygm.com/hivetools/account/authority, if you have Keychain browser extension or Keychain Mobile App, but assuming we don't have that, let's try to use HiveSigner again.

The trick is here, that changing authorities, even posting authorities, is an active key transaction. Let's see what HiveSigner says:

image.png

This was actually a pleasant surprise to me, I believe this has been updated since the last time I raged against this app, but it correctly informs us that we will be required to put in our active key (since we have only logged in with posting key).

While playing around, I also confirmed that if you log in with owner key or master password (probably active key too), it will just let you click authorize. We can assume that these things are "just" stored in our browser cache, since I was able to delete them (which by the way is NOT a secure place to put keys unencrypted, anyone remember the recent Leo fiasco with browser stored keys?), but its also not really a great idea to assume things about key management either.

So now I hit continue and get....

image.png

Hmmmm, this is not quite expected, a little unclear, but I guess we need to "Add another account"?

image.png

Welcome back!

And we are back to our good old friend, the "add any key to get scolded" page. Sure, we were told that we would need "at least" the active key (by the way, I don't think four different keys are necessarily in an order, or if there is an order, its somewhat subjective), but once again we are being recommended options including MEMO KEY (which never works for anything) and Posting Key - which we already know is "not enough", and won't work.

So for fun I added my Owner Key, and we are taken back to the option to authorize the app.

image.png

Once we click authorize, we are quickly flashed a screen that explains we have given posting auth to 'steemauto', and redirected back to Hive.Vote.

I was a little surprised that I could sign authority operations with owner key, but I guess it is possible, so I am learning something today. After all, its THE FIRST recommendation of HiveSigner (but at least it works, unlike many of its other front page instructions).

What's in the browser?

image.png

So by navigating around in my Opera GX browser, and learning a few things along the way, I was able to find my private Owner key in the Local Browser storage. I am actually not sure how secure this is, so I just asked google, here is what google says:

image.png

Tell me I am a crazy disinformation spreader, but suddenly I don't feel like "trust me bro" "as far as I recall its secure" is a good enough answer; I don't feel safe or secure - in fact, people also ask:

image.png

@good-karma?

I want to be clear, I like (and "trust") @good-karma, who (as far as I know), is in charge of making sure HiveSigner keeps working, as a legacy piece of software. And he has done that. I don't think he is phishing keys or in any way would host or build something that would actually BE an attack vector. But that doesn't mean that this piece of software he inherited is GOOD, or safe, or secure or valid.

HiveSigner - in my humble opinion - is not only confusing and uncomfortable, based on my deep dive today - seems literally INSECURE, and UNSAFE. Please stop insisting that it is safe and secure because someone told you it was.

And since I did reveal them here, I guess I will go ahead and change my keys now, using our amazing, and actually safe and secure, best key changer for HIVE.

image.png

Go ahead and let me know what you think, in the comments below.

Freedom and Friendship

Sort:  

The broader issue here is the lack of other installation/hardware-free login options that are user-friendly to newbies, other than another OAuth2 solution (web2 logins) which currently only works on very specific apps and for that app/platform only (i.e. VSC-related transactions which are signed EVM txs behind the scenes, InLeo social logins specifically for that only, just to name a few). These accounts cannot be ported to another Hive app without the user exporting the keys and importing it somewhere else.

All wallet providers supported on Aioha that isn't HiveSigner either requires installing something on user's browser/phone or having a hardware device (only one exists that I strongly do not recommend). The only FAQ of adding a "plaintext key" provider (beekeeper maybe?) probably won't do much other than safeguarding potential DNS hijacking on hivesigner.com but the same can happen to the app itself.

For some reason, we have missed this post and didn't notice mention. Apologies, any application (web, extension, mobile app) that helps you to sign transaction stores or uses your keys for intended purpose. Security of Hivesigner depends on security of your own device of course, hivesigner doesn't send your keys anywhere in anyway, only keep them in your local browser. Just like Keychain, just like another other direct ways of login. That's why there are different levels of keys so you only use it in trusted and opensource apps to specific operations you need to sign. Working of Hivesigner is slightly different in that you can give posting authority to application once and don't need to use Active, Owner, Master password keys ever again even on Hivesigner itself and you can take away posting authority anytime from any app. In your example, hive.vote it is utilizing posting authority, so you are required to give that authority with your active key, if you know that you just use your active key and can remove your account from Hivesigner that's it. All other keys are used for specific use cases within Hivesigner, memo key or other key login suggests because if you are unsure what key you need, you can try any key until you find one that works. Yes this can be improved but here you are not talking about improvement suggestions.

Hivesigner is opensource and maintained by our team so if you don't trust Ecency team, always do check source code to know what it does with your keys: https://github.com/ecency/hivesigner-ui.

When we have inherited the Hivesigner codebase, we have done extensive review and complete rewrite of most logic, so it is reviewed at least by previous creators and our team.

Deep dive like this should be done on all apps so people know what's doing what. Only be objective about what you find and/or ask team if you have concerns/questions, tell team if you find bugs after all that, release findings along with suggestions.

Isnt this the same issue LeoAuth got a ton a crap about a while ago?

I am pretty sure if its not EXACTLY THE SAME, then its like, 99% the same issue 😅

Man khal and team got sooo much crap over that 😅
Good that you acknowledge it though because its like you say not that secure 😅

Nope they have stored the keys in a cookie. Now they store them in the local storage but other than hivesigner they are encrypted with a pincode. On top of the cookie thing they have sent the private key over the internet at the beginning - thats when the whole thing blew off

Alright, noted! :)

Storing private keys in local storage definitely not secure.

In my opinion, the fact that the app encourages Owner key or Master password just makes this worse.

Hive.vote is as much the problem here by not updating to using Keychain. I've always been dubious of hivesigner but that is shocking, time to sunset it we have a better, easier, safer way now.

terrible! hive.vote is probably one the most used services on Hive and doesn't have keychain integration.

great job testing it! I never use hive signer, even though I never did this research, I never trusted it. and it's one of the oldest sign in options still accepted by all frontends?

Its on our list, to do a new auto-voter tool. Sometimes I wish we could clone ourselves to move faster through the pipeline - but "soon" we will look to at least give another option to the mostly abandoned (but it does work) hive.vote

Loading...

Any site that asks for a 'master key' seems dodgy to me. They shouldn't need that level of access.

Key security is not an easy problem to solve and so we have to trust the developers for such tools. I would hope that anyone with real concerns can feel free to speak out, but obviously should go to the devs first if there is an immediate risk.

This is legacy software, as you say (and @techcoderx mentioned) these are tricky issues.

I never made a post before, I just ignored this legacy login method (which was more secure in its day than copy pasting keys).

But I felt compelled to look into it and make a post when I felt mistreated for not drinking the koolaid and exclaiming that it was the most safe and secure app in the world, which it is not.

Here's a hot take: People who use autovoters deserve to have their keys compromised :P

Ah Thank You for confirming my suspicion. !LOLZ

I looked at HiveSigner when I started on Hive and when I compared it to how KeyChain does security I stuck to KeyChain.

Much appreciated review.

!PIMP

Why does Humpty Dumpty love autumn?
Because he always has a great fall!

Credit: reddit
@ecoinstant, I sent you an $LOLZ on behalf of fjworld

(3/10)
Farm LOLZ tokens when you Delegate Hive or Hive Tokens.
Click to delegate: 10 - 20 - 50 - 100 HP

Yeah, that's not good. I try not to use HiveSigner if I can help it, but it's sometimes not an option. This is definitely worrisome. 😁 🙏 💚 ✨ 🤙

Thanks for the deep dive! I'm not technical savvy security wise, but I never felt that confortable on putting my keys in hivesigner. I would love to have a similar app to hive.vote with decent UX and buffed security... let's see if it comes true one day!

You can pre-add the authority through other interfaces like PeakD and Hive.blog.
I believe everything should support keychain, but even that isn't audited.

Yes, which is probably the most secure way to use HiveSigner!

What would an "audit" or auditor do?

Keep an eye on the github repo?
Look for exploits in the live app?
"PenTest" the company itself?

Generally review the code for security issues and/or exploits. Ideally, regularly, but most are lucky if it is even done once halfassed.

Loading...

I agree on auditing or more eyes on codebase and what apps are doing by checking their source code if open. Hivesigner is opensource, audited at least by Ecency team and previous creators, anyone still can check codebase. A lot of misinformation will push people using unsecure or closed source solutions which isn't helping.

Audited code is way more secure than closed source or unaudited code. BUT, reviewing a githib repo won't make the app secure! What stops the dev to alter the deployed version of the codebase and add some malicious parts?

The repo would look nice and shiny but a small change on the real server could be dangerous. So the full review should check the live webserver too. And it wouldn't be bulletproof either as you can swap dns record overnight or add changes after the audit.

I remember hearing talk about making it that at the blockchain level hive nodes will reject transactions that use of keys far above the permissions required. like using owner to sign active key transactions, I'm not sure if it's already in effect though.

One reason HiveSigner asks for the master password is it is a quick way to import all keys since all keys are derived from said password but still I wouldnt even do that. I'd rather take the time to import each one.

Now here's a question.. How does one clear your keys from your local storage if you previously used hivesigner?

Since I hardly use it I'd prefur to not have my keys sitting there potentially insecure.


I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!

So I can go to manage site data in this browser, and it allows me to delete it.

The one thing I didn't test is, if I "save and encrypt", can I still clear it from my local cache? If not, where does it "go"?

image.png

I've noticed something, when not logged into hivesigner, the keys are not in local storage, I assume they are elsewhere encrypted with the password you set up on hivesigner. It's only if you are logged in to hivesigner are they exposed.

So as long as you haven't logged in on a compromised device or browser you 'should' be fine. But this does beg the question I think all extensions can access local storage data if enabled so there is also potential for malicious action there too.

I generally have my browser extensions restricted to certain sites so I'm fine there.

There also is no way to actually sign out of hive-signer except by probably closing the complete browser.

Donno if the local storage is ever accessible besides the site being open in a tab.

You can actually remove accounts from hivesigner via hivesigner which is the best way to go about it I think.


I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!

Fantastic followup investigation!

Anything in web browser or on mobile phone is not secure for large financial transactions, fortunately in hive we have several keys: active (required for financial transactions) and posting (for blogging like here). Bank mobile apps have limited functionality compared to web browser interface, in web browser it is still required to perform 2FA.

My bank app can do more than their webbank. And in the webbank I have to use the app as 2fa.

Because you demanded my response so intensely on discord:

Good post that highlights some of the many things we can call insecure on Hive. It always depends on how you view it and your position is valid for sure. Hivesigner stores the keys in the local storage unencrypted and that's not very secure.

But: Compared to many private key logins or the majority of web2 it is definitely very secure already because your keys will never go over the internet and you dont need to trust a new interface because you do not enter your keys there. Of course private key logins are often implemented that your keys will also not go over the internet but any new interface could be a potential danger: like leo did it one time in the recent past when you login. That was the real big issue - then the storage in a cookie and then they finally made it more secure by putting the keys in local storage encrypted and not sending any key over the internet.

The challenge that hivesigner solves here is that you do not give any user interface your private key in the first place but you probably already knew that.

Regarding the owner key: there are moments you will need to use your owner key. Maybe that's the reason why you can enter it there. Just a thought of mine.

I know there are people working on other solutions here on Hive and that there are 1000x more secure solutions on Hive already: Keychain and HiveAuth.

My favorite is definetely HiveAuth because that works everywhere not only where keychain is installed and is compatible with Keychain. So all you need is a Keychain on your mobile device and the user interface supporting hiveAuth - done.


Maybe your criticism would have more value if you shared it with the ecency team instead pinging me (who is not part of the team at all) or good karma (who gets pinged 10x per day probably) in this post only. They have a very active discord and would be pleased to see suggestions for improvements. But instead you decided to use it as a rant / beef show here and on the hive discord server.
I am not going into detail how you portrayed me here or on discord but I thought that its important for you that I go over your post and to give me feedback so I did.

My heart rate is at 97 (checking my fitbit right now) because I don't like when people call me names or try to offend me as part of their defense mechanism. But I have learned to reflect myself and my feelings and to work with my emotions - not getting dragged by them or work against them.

I'm not a native speaker (yes I play this card now) so maybe some phrases could come to you in a different way than I've intended them to be. "As far as I know" is a phrase I use when I am pretty sure but too lazy to search for source code lines. Next time I'll do that instead. But a next time between you and me will not happen: I will just read your message, give a reaction emoji and leave it like that because the way you've handled this discussion did not encourage discussion at all. Sounds weird but I need to keep myself out from these kind of shows.


I am on Hive for fun and a good time - sharing knowledge and opinions. I will keep doing this - trust me.

Sounds like we agree on a lot of things. It was definitely when you called me names, that motivated my heart rate, and this post and subsequent pings.

Hivesigner stores the keys in the local storage unencrypted and that's not very secure.

That's the choice by user, there is literally checkbox to encrypt it.

But is it then also stored encrypted in the local storage?

Yes, it doesn't send keys to server, just in local browser encrypted.

Localstorage generally same safety as your device, they are bound to website you visit only (in this case hivesigner.com), unless someone injects xss code into hivesigner website/codebase (which is highly unlikely) or install unwanted browser extension (user's choice) stealing from localstorage shouldn't be possible plus if you encrypt it in localstorage that's extra security also.

Thanks for the detailed explanation- so it works as I thought initially! Great!

Congratulations @ecoinstant! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

You received more than 35000 HP as payout for your posts, comments and curation.
Your next payout target is 36000 HP.
The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP