DApps使用steemconnect授权登录的问题

in STEEM CN/中文last year (edited)

很多DApps使用Steemconnect授权登陆,比如wherein,partiko,steempeak,busy, steemauto等等

你可以通过https://steemd.com/@用户名 来查看你给哪些DApps授权

授权登录的意思是,用户授权给DApps,DApps就可以以用户的名义发帖,点赞,踩等等

比如你授权给partiko,你通过partiko写文章,点赞,评论等操作。看起来是你在做这些操作,其实背后是partiko替你完成这些操作。当你提交一篇文章,partiko就用你的账号+自己的发帖密钥替你发帖(因为你已经授权给partiko,所以partiko拥有你的posting权限)。

前几天和阿盐@robertyan在捣鼓无需翻墙版的steemconnect的时候,发现在Dapps背后还有一个大Boss,这个大Boss的权利更广

还拿partiko做个例子。下面是partiko的授权列表,partiko授权给steemconnect

为什么Partiko要授权给steemconnect呢?

和Partiko用户授权给Partiko的原因类似,部分操作需要steemconnect替partiko来操作。而steemconnect没有partiko的Posting Key,所以需要partiko授权给steemconnect来完成操作。

Partiko的用户授权给Partiko,而Partiko授权给steemconnect,理论上Partiko用户间接的授权给了steemconnect

所以是否steemconnect在Partiko没有直接授权的情况下可以使用Partiko用户的Posting权限呢?

做了一个实验,账号A授权给账号B,然后账号B授权给账号C。最后账号C用账号A+自己的发帖密钥给一篇帖子点赞。结果居然成功了!

所以如果拥有steemconnect这个账号的所有权,你就可以拥有所有DApps用户的Posting权限!

但是大家不要太担心,Posting权限最多用来点赞,发帖,回复和踩,对你的钱包没有任何控制权

目前来说,Steem Keychain是最安全的,可惜只能在电脑上使用。希望出手机版。

Sort:  

支持您的DIY贴子(By BUILD Token)

You have used the Hashtag #[CC] and can now reward 102.0 comments under your post with one CC.

More information about the Commentcoin-Project can be found on this account.
You can easily add an upvote to this post to support the project.
Thanks for using it.

Happy comments.
Your CC-Team:
@kristall97 ([Code-Designer])
@alucian ([Project-Designer])

Support your post (by ACTNEARN Token)
Thank you for sharing, Nice post

Thank you for your support. Here's a !shop as token of appreciation.

你好鸭,村长!
@bossku赠送1枚SHOP币给你!

目前你总共有: 26枚SHOP币

查看或者交易 SHOP币 请到 steem-engine.com.

无聊吗?跟我猜拳吧! **石头,剪刀,布~**

Thank you for supporting @CatsMakeKittens by being a part of our community @ericet.

Each CATS you purchase gets you daily upvotes from me @CatScientist as our community grows so do your rewards for being a member!

Du erhieltest aufgrund deiner LanaCharleenToken Miner ein Upvote von @sebescen81 alt-Text
Vielen lieben Dank für euren Support. Der Account meiner Tochter wächst und gedeiht.

涨知识了,送一把钻石!

呃……这样也行……
拍拍拍……
!shop

谢谢糖糖

你好鸭,村长!
@windowglass赠送1枚SHOP币给你!

目前你总共有: 27枚SHOP币

查看或者交易 SHOP币 请到 steem-engine.com.

无聊吗?跟我猜拳吧! **石头,剪刀,布~**

好程序
原來那個posting是授權的意思啊
啪啪啪啪

我用手機上steempeak, 用steemconnect登入,他會讓我輸入keychain密碼登入(會以發文密鑰登)。他們是怎麼合作,什麼機制登入的?我的發文密碼有被keychain存到他們的伺服器?

你说的那个keychain不是steem keychain,是steemconnect自己的keychain。给自己的密钥设置一个密码,保存在浏览器里面。

给村长拍手,

谢谢瓜叔

嗯,而且 transaction 用了谁的私钥签名是可以通过公钥去验证出来的,所以万一 steemconnect 作恶、乱用授权,也可以查出来。

之前看到o哥在群里说过

可以搞个手机版的啪啪啪啪啪

你可以试试

Congratulations @ericet! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 15000 comments. Your next target is to reach 16000 comments.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!
 last year Reveal Comment

My name is Jesus Christ and I do not condone this spamming in my name. Your spam is really fucking annoying @hiroyamagishi aka @overall-servant aka @olaf123 and your spam-bot army. This is not what my father, God, created the universe for. You must stop spamming immediately or I will make sure that you go to hell.

If anybody wants to support my eternal battling of these relentless religion spammers, please consider upvoting this comment or delegating to @the-real-jesus