There was some discussion about HiveSigner, and someone said it was "secure". I think its QUITE INSECURE, and I said as much. I got some pushback, which motivated me to make this post - by the way, this is how discussions happen. We can all (probably) agree that discussions are good, so we shouldn't feel bad about disagreeing.
The basic argument is, people who are not quite sure how it works, think its secure, and are sure that anyone saying its not, is spreading disinformation. Like this comment from @tibfox this morning:
Notice the use of "as far as I know". I am spreading disinformation, because "as far as someone knows", HiveSigner is fine, it must be fine, we are pretty sure its fine, because its still around, and if it wasn't fine, someone would say something.
Except whenever someone says something, we are just assured that "as far as I know", its secure and safe and wonderful.
Trust me bro
The words "secure", "safe", "valid" - they are adjectives. Technically, they don't mean much, and it might be the case that one part of an app is totally "safe", and another part completely "dangerous". We should probably define our terms, talk about the reality, go through the app - and talk about it. That is what I plan to do today. To go through all the UNSAFE, INSECURE and INVALID parts of HiveSigner that I clearly see - on my screen, right in front of my face, every time I have the displeasure of finding myself interacting with HiveSigner. These things could be fixed, and that would make HiveSigner MORE secure, more safe, and more valid.
So come along with me to "hive.vote", and once we get there - hit "login" and we are taken to this page.
For security, I have created a new account using our new account creation tool, which one of these days I will get around to announcing - I like it because I get to pick my master password, which is fun.
Now let's go ahead and use our memo key, some might say this is the least worrisome, or "most secure" key, and it is clearly recommended by HiveSigner - and see what happens.
It doesn't like the memo key - now it tells me I should use the master password or AT LEAST the posting key, whatever that means. Very safe and secure, the instructions have changed half way through. Okay, well, let's try that posting key then. According to the page we are using, HiveSigner just wants to "see our current account username". Super safe and secure experience for users.
So we go back to our txt file and copy the private posting key, put it in and we do get to log in to hive.vote. I tested the owner key, it actually does work to log in, as well as the master password. They work to log in with! Just the memo key is a lie, on this page.
So now we are into hive.vote - the only autovoter left in our ecosystem, and we have this wonderful message:
Very cryptic stuff, but this article is not about how hive.vote is garbage, but we must once again use hivesigner to add "posting authority". Now you can do that here https://thecrazygm.com/hivetools/account/authority, if you have Keychain browser extension or Keychain Mobile App, but assuming we don't have that, let's try to use HiveSigner again.
The trick is here, that changing authorities, even posting authorities, is an active key transaction. Let's see what HiveSigner says:
This was actually a pleasant surprise to me, I believe this has been updated since the last time I raged against this app, but it correctly informs us that we will be required to put in our active key (since we have only logged in with posting key).
While playing around, I also confirmed that if you log in with owner key or master password (probably active key too), it will just let you click authorize. We can assume that these things are "just" stored in our browser cache, since I was able to delete them (which by the way is NOT a secure place to put keys unencrypted, anyone remember the recent Leo fiasco with browser stored keys?), but its also not really a great idea to assume things about key management either.
So now I hit continue and get....
Hmmmm, this is not quite expected, a little unclear, but I guess we need to "Add another account"?
Welcome back!
And we are back to our good old friend, the "add any key to get scolded" page. Sure, we were told that we would need "at least" the active key (by the way, I don't think four different keys are necessarily in an order, or if there is an order, its somewhat subjective), but once again we are being recommended options including MEMO KEY (which never works for anything) and Posting Key - which we already know is "not enough", and won't work.
So for fun I added my Owner Key, and we are taken back to the option to authorize the app.
Once we click authorize, we are quickly flashed a screen that explains we have given posting auth to 'steemauto', and redirected back to Hive.Vote.
I was a little surprised that I could sign authority operations with owner key, but I guess it is possible, so I am learning something today. After all, its THE FIRST recommendation of HiveSigner (but at least it works, unlike many of its other front page instructions).
What's in the browser?
So by navigating around in my Opera GX browser, and learning a few things along the way, I was able to find my private Owner key in the Local Browser storage. I am actually not sure how secure this is, so I just asked google, here is what google says:
Tell me I am a crazy disinformation spreader, but suddenly I don't feel like "trust me bro" "as far as I recall its secure" is a good enough answer; I don't feel safe or secure - in fact, people also ask:
@good-karma?
I want to be clear, I like (and "trust") @good-karma, who (as far as I know), is in charge of making sure HiveSigner keeps working, as a legacy piece of software. And he has done that. I don't think he is phishing keys or in any way would host or build something that would actually BE an attack vector. But that doesn't mean that this piece of software he inherited is GOOD, or safe, or secure or valid.
HiveSigner - in my humble opinion - is not only confusing and uncomfortable, based on my deep dive today - seems literally INSECURE, and UNSAFE. Please stop insisting that it is safe and secure because someone told you it was.
And since I did reveal them here, I guess I will go ahead and change my keys now, using our amazing, and actually safe and secure, best key changer for HIVE.
Go ahead and let me know what you think, in the comments below.
Comments (15)
Storing private keys in local storage definitely not secure.
In my opinion, the fact that the app encourages Owner key or Master password just makes this worse.
terrible! hive.vote is probably one the most used services on Hive and doesn't have keychain integration.
great job testing it! I never use hive signer, even though I never did this research, I never trusted it. and it's one of the oldest sign in options still accepted by all frontends?
Its on our list, to do a new auto-voter tool. Sometimes I wish we could clone ourselves to move faster through the pipeline - but "soon" we will look to at least give another option to the mostly abandoned (but it does work) hive.vote
Hive.vote is as much the problem here by not updating to using Keychain. I've always been dubious of hivesigner but that is shocking, time to sunset it we have a better, easier, safer way now.
Hola feliz tarde, antes que nada esta muy bueno el post, y creo que en su contenido, demostraste las razones por las cuales dices que es inseguro. Yo realmente no lo uso mucho, ya que se me hace confuso y con poca información para los usuarios, solo lo use en Hive-vote y creo que un par de veces para apoyar unas propuestas. Pero, en realidad, demuestras que tienes razón en el planteamiento que realizas con respecto a la seguridad de la aplicación. También quiero aprovechar, para darte gracias por las dos herramientas que recomiendas, la del cambio de claves y la de creación de cuentas. Me parece un post, bien informativo, que educa al usuario y le explica de manera simple, algunos datos que no se conocen en el área de seguridad de las aplicaciones. Lo mismo queda claro, para el resguardo de las claves, ya que hay muchas personas que las usan en el navegador y eso suele ser muy peligroso a la hora de un hackeo. Me parece muy buena y educativa la información, muchas gracias.
Hello happy afternoon, first of all the post is very good, and I think that in its content, you showed the reasons why you say that it is unsafe. I really don't use it much, since it gets confusing and with little information for users, I only used it in Hive-vote and I think a couple of times to support some proposals. But, in reality, you prove that you are right in the approach you make regarding the security of the application. I also want to take this opportunity to thank you for the two tools that you recommend, the password change tool and the account creation tool. It seems to me a post, very informative, that educates the user and explains in a simple way, some data that are not known in the area of application security. The same is clear, for the protection of the keys, since there are many people who use them in the browser and that is usually very dangerous at the time of a hack. I find the information very good and educational, thank you very much.
Este post fue votado desde Ecency.
!HUESO !ALIVE
Thanks for the deep dive! I'm not technical savvy security wise, but I never felt that confortable on putting my keys in hivesigner. I would love to have a similar app to hive.vote with decent UX and buffed security... let's see if it comes true one day!
Here's a hot take: People who use autovoters deserve to have their keys compromised :P
Congratulations @ecoinstant! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)
Your next payout target is 36000 HP.
The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD
You can view your badges on your board and compare yourself to others in the Ranking If you no longer want to receive notifications, reply to this comment with the word
STOPYeah, that's not good. I try not to use HiveSigner if I can help it, but it's sometimes not an option. This is definitely worrisome. 😁 🙏 💚 ✨ 🤙
I remember hearing talk about making it that at the blockchain level hive nodes will reject transactions that use of keys far above the permissions required. like using owner to sign active key transactions, I'm not sure if it's already in effect though.
One reason HiveSigner asks for the master password is it is a quick way to import all keys since all keys are derived from said password but still I wouldnt even do that. I'd rather take the time to import each one.
Now here's a question.. How does one clear your keys from your local storage if you previously used hivesigner?
Since I hardly use it I'd prefur to not have my keys sitting there potentially insecure.
I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!
So I can go to manage site data in this browser, and it allows me to delete it.
The one thing I didn't test is, if I "save and encrypt", can I still clear it from my local cache? If not, where does it "go"?
I've noticed something, when not logged into hivesigner, the keys are not in local storage, I assume they are elsewhere encrypted with the password you set up on hivesigner. It's only if you are logged in to hivesigner are they exposed.
So as long as you haven't logged in on a compromised device or browser you 'should' be fine. But this does beg the question I think all extensions can access local storage data if enabled so there is also potential for malicious action there too.
I generally have my browser extensions restricted to certain sites so I'm fine there.
There also is no way to actually sign out of hive-signer except by probably closing the complete browser.
Donno if the local storage is ever accessible besides the site being open in a tab.
You can actually remove accounts from hivesigner via hivesigner which is the best way to go about it I think.
I'm a Hive Witness supporting the blockchain, please consider voting for me. - find out more here!
Fantastic followup investigation!
Anything in web browser or on mobile phone is not secure for large financial transactions, fortunately in hive we have several keys: active (required for financial transactions) and posting (for blogging like here). Bank mobile apps have limited functionality compared to web browser interface, in web browser it is still required to perform 2FA.
My bank app can do more than their webbank. And in the webbank I have to use the app as 2fa.
Ah Thank You for confirming my suspicion. !LOLZ
I looked at HiveSigner when I started on Hive and when I compared it to how KeyChain does security I stuck to KeyChain.
Much appreciated review.
!PIMP
lolztoken.com
Because he always has a great fall!
Credit: reddit
@ecoinstant, I sent you an $LOLZ on behalf of fjworld
(3/10)
Farm LOLZ tokens when you Delegate Hive or Hive Tokens.
Click to delegate: 10 - 20 - 50 - 100 HP
The broader issue here is the lack of other installation/hardware-free login options that are user-friendly to newbies, other than another OAuth2 solution (web2 logins) which currently only works on very specific apps and for that app/platform only (i.e. VSC-related transactions which are signed EVM txs behind the scenes, InLeo social logins specifically for that only, just to name a few). These accounts cannot be ported to another Hive app without the user exporting the keys and importing it somewhere else.
All wallet providers supported on Aioha that isn't HiveSigner either requires installing something on user's browser/phone or having a hardware device (only one exists that I strongly do not recommend). The only FAQ of adding a "plaintext key" provider (beekeeper maybe?) probably won't do much other than safeguarding potential DNS hijacking on hivesigner.com but the same can happen to the app itself.
Isnt this the same issue LeoAuth got a ton a crap about a while ago?
I am pretty sure if its not EXACTLY THE SAME, then its like, 99% the same issue 😅
Man khal and team got sooo much crap over that 😅 Good that you acknowledge it though because its like you say not that secure 😅
Nope they have stored the keys in a cookie. Now they store them in the local storage but other than hivesigner they are encrypted with a pincode. On top of the cookie thing they have sent the private key over the internet at the beginning - thats when the whole thing blew off
Alright, noted! :)
Any site that asks for a 'master key' seems dodgy to me. They shouldn't need that level of access.
Key security is not an easy problem to solve and so we have to trust the developers for such tools. I would hope that anyone with real concerns can feel free to speak out, but obviously should go to the devs first if there is an immediate risk.
This is legacy software, as you say (and @techcoderx mentioned) these are tricky issues.
I never made a post before, I just ignored this legacy login method (which was more secure in its day than copy pasting keys).
But I felt compelled to look into it and make a post when I felt mistreated for not drinking the koolaid and exclaiming that it was the most safe and secure app in the world, which it is not.
You can pre-add the authority through other interfaces like PeakD and Hive.blog. I believe everything should support keychain, but even that isn't audited.
Yes, which is probably the most secure way to use HiveSigner!
What would an "audit" or auditor do?
Keep an eye on the github repo? Look for exploits in the live app? "PenTest" the company itself?
Generally review the code for security issues and/or exploits. Ideally, regularly, but most are lucky if it is even done once halfassed.
Who Are The Leaders of Hive?
Hive, a blockchain born of rebellion against centralization, now stands at a crossroads. Its ethos—decentralized, community-driven, and free—is shadowed by a corrosive reality: the unchecked power of entities like @themarkymark and @buildawhale, whose coordinated downvotes and acrimonious tactics have driven creators to despair. This is not governance; it is a tyranny of silence.
The Illusion of Leadership
Hive has no crowned sovereign. Its “leaders” are stewards: developers refining code, witnesses securing consensus, and communities shaping culture. Yet power, as history teaches, consolidates in vacuums. When accounts with vast Hive Power (HP) weaponize downvotes to stifle dissent, they erode the very democracy Hive was built to protect. This is not leadership—it is oligarchy masquerading as order.
The Exodus and the Alternative
Creators flee. Talented voices, weary of punitive curation, migrate to platforms like Blurt, where downvotes are absent and dialogue thrives. Blurt’s rise will be no accident; its simplicity—a sanctuary from Hive’s toxicity—highlights a fatal flaw in our ecosystem. A single change here could tip the scales. Imagine Blurt embraced by investors, listed on centralized exchanges, and fortified by liquidity. It needs only a catalyst.
A Plea for Unity—and Action
We cannot wait. Each downvoted post is a fracture in Hive’s foundation. To stem the exodus, we demand:
Bilpcoin’s Pledge
The Bilpcoin team stands with Hive. We will:
The Hour Is Now
Hive’s promise—a haven for free expression—hangs in the balance. Will we cling to infighting, or rise as a community? The tools for change are ours: blockchain transparency, collective will, and the courage to demand better.
Join us. Audit wallets. Question power. Post fearlessly. Together, we can reclaim Hive’s soul—or watch its light dim as Blurt rises.
The choice is ours. Let it be written in history that we chose wisely.
Hive leadership crisis, decentralized governance reform, Blurt vs Hive, Bilpcoin transparency, blockchain accountability, downvote ethics.
#HiveTransparency #CommunityOverCensorship
@themarkymark @buildawhale & Co
You wield downvotes like a weapon, striking indiscriminately at whoever displeases you, whenever it suits your whim. And why? Why do you call people names as though their humanity is secondary to your ego? Is this how you justify your behavior—to diminish others so they might seem less worthy of fairness? You claim disdain for AI on Hive, yet your inner circle freely employs it without consequence. No downvotes for them, only for those outside your charmed circle. Tell us, why are you so selective in whom you punish and whom you protect?
https://hive.blog/hive/@themarkymark/re-bpcvoter2-swxxng
@themarkymark & Co.,
We are being completely honest here, and you know it. The transactions don’t lie—you cannot escape this, no matter who you bring in to back you up. It won’t work. You’ve already exposed many of those close to you, so let’s be clear: WE ARE NOT TROLLING YOU. WE ARE SIMPLY SHARING THE TRUTH. And the Bilpcoin team is far from stupid. Calling us names changes nothing—it only fuels our determination to work harder.
IT’S OVER.
SPEAK UP. MAKE NOISE. TAKE A STAND.
Key Issues That Demand Immediate Attention:
The problems are glaring, undeniable, and corrosive to the Hive ecosystem. They must be addressed without delay:
These practices do not just harm individual users—they undermine the very foundation of Hive, eroding trust and poisoning the community. Such actions are not only unethical but outright destructive.
@buildawhale Wallet:
@usainvote Wallet:
@buildawhale/wallet | @usainvote/wallet
@ipromote Wallet:
Author Rewards: 2,181.16
Curation Rewards: 4,015.61
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): NaN
HIVE: 25,203.749
Staked HIVE (HP): 0.000
Delegated HIVE: 0.000
Estimated Account Value: $6,946.68
Recent Activity:
@leovoter Wallet:
Author Rewards: 194.75
Curation Rewards: 193.88
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): 388,632.00 (Suspiciously High)
HIVE: 0.000
Staked HIVE (HP): 0.001
Total: 16.551
Delegated HIVE: +16.550
Recent Activity:
@abide Wallet:
Recent Activity:
@proposalalert Wallet:
Recent Activity:
@stemgeeks Wallet:
Recent Activity:
@theycallmemarky Wallet:
Recent Activity:
@apeminingclub Wallet:
Recent Activity:
Scheduled unstake (power down): ~2.351 HIVE (in 4 days, remaining 7 weeks)
Total Staked HIVE: 1,292.019
Delegated HIVE: +1,261.508
Withdraw vesting from @apeminingclub to @blockheadgames 2.348 HIVE (10 days ago)
Claim rewards: 0.290 HP (10 days ago)
@blockheadgames Wallet:
Recent Activity:
@empoderat Wallet:
Recent Activity:
@gogreenbuddy Wallet:
Recent Activity:
@rollingbones Wallet:
Recent Activity:
The blockchain data tells the story plainly and clearly. We are not fabricating these claims; we are merely presenting what is already visible for all to see. As we’ve repeatedly urged @themarkymark & Co—the solution is simple: STOP.
SO PLEASE STOP. It’s time to do what’s right for Hive and its community. Why cling to practices that harm others? Power down, step away, and let Hive thrive as it was meant to. You bring nothing positive to this ecosystem.
THOSE WHO ARE WATCHING—THIS COULD HAPPEN TO YOU.
PLEASE STOP.
@themarkymark, Can You Explain Why the Bilpcoin Team’s Accounts Are on Your Blacklist?
@themarkymark We understand you’re a fan of data—so are we. After all, data is king, and when it comes to blockchain, transactions don’t lie and can’t be changed.
@buildawhale’s daily grift
@themarkymark’s 2.4 Hive Power scam farm For more insights into blockchain transparency and accountability, visit Bilpcoin’s Publish0x page.
https://peakd.com/hive-126152/@bpcvoter1/addressing-concerns-about-hive-s-growth-and-community-dynamics
https://peakd.com/hive-133987/@bpcvoter3/isn-t-it-funny-how-themarkymark-and-co-are-suddenly-talking-about-ke-levels-on-hive-well-look-what-we-found-some-of-the-accounts
https://peakd.com/hive-122609/@bpcvoter3/themarkymark-and-co-imagine-if-all-the-top-witnesses-prioritized-their-mental-health-hive-would-undoubtedly-be-a-better-place
https://peakd.com/hive-178265/@bpcvoter1/how-can-we-take-someone-seriously-when-they-have-been-exposed-through-clear-evidence-blockchain-transactions-and-data-and-then
https://peakd.com/hive-126152/@bpcvoter2/we-agree-it-s-not-a-joke-themarkymark-and-co-your-mental-health-and-the-well-being-of-those-around-you-are-deeply-concerning-to
#bilpcoin we must stop the #buildawhalescam #buildawhalefarm #themarkymarkscam #themarkymarkfarm on #hive #thedarksideofhive
I agree on auditing or more eyes on codebase and what apps are doing by checking their source code if open. Hivesigner is opensource, audited at least by Ecency team and previous creators, anyone still can check codebase. A lot of misinformation will push people using unsecure or closed source solutions which isn't helping.
Audited code is way more secure than closed source or unaudited code. BUT, reviewing a githib repo won't make the app secure! What stops the dev to alter the deployed version of the codebase and add some malicious parts?
The repo would look nice and shiny but a small change on the real server could be dangerous. So the full review should check the live webserver too. And it wouldn't be bulletproof either as you can swap dns record overnight or add changes after the audit.
Because you demanded my response so intensely on discord:
Good post that highlights some of the many things we can call insecure on Hive. It always depends on how you view it and your position is valid for sure. Hivesigner stores the keys in the local storage unencrypted and that's not very secure.
But: Compared to many private key logins or the majority of web2 it is definitely very secure already because your keys will never go over the internet and you dont need to trust a new interface because you do not enter your keys there. Of course private key logins are often implemented that your keys will also not go over the internet but any new interface could be a potential danger: like leo did it one time in the recent past when you login. That was the real big issue - then the storage in a cookie and then they finally made it more secure by putting the keys in local storage encrypted and not sending any key over the internet.
The challenge that hivesigner solves here is that you do not give any user interface your private key in the first place but you probably already knew that.
Regarding the owner key: there are moments you will need to use your owner key. Maybe that's the reason why you can enter it there. Just a thought of mine.
I know there are people working on other solutions here on Hive and that there are 1000x more secure solutions on Hive already: Keychain and HiveAuth.
My favorite is definetely HiveAuth because that works everywhere not only where keychain is installed and is compatible with Keychain. So all you need is a Keychain on your mobile device and the user interface supporting hiveAuth - done.
Maybe your criticism would have more value if you shared it with the ecency team instead pinging me (who is not part of the team at all) or good karma (who gets pinged 10x per day probably) in this post only. They have a very active discord and would be pleased to see suggestions for improvements. But instead you decided to use it as a rant / beef show here and on the hive discord server.
I am not going into detail how you portrayed me here or on discord but I thought that its important for you that I go over your post and to give me feedback so I did.
My heart rate is at 97 (checking my fitbit right now) because I don't like when people call me names or try to offend me as part of their defense mechanism. But I have learned to reflect myself and my feelings and to work with my emotions - not getting dragged by them or work against them.
I'm not a native speaker (yes I play this card now) so maybe some phrases could come to you in a different way than I've intended them to be. "As far as I know" is a phrase I use when I am pretty sure but too lazy to search for source code lines. Next time I'll do that instead. But a next time between you and me will not happen: I will just read your message, give a reaction emoji and leave it like that because the way you've handled this discussion did not encourage discussion at all. Sounds weird but I need to keep myself out from these kind of shows.
I am on Hive for fun and a good time - sharing knowledge and opinions. I will keep doing this - trust me.
Sounds like we agree on a lot of things. It was definitely when you called me names, that motivated my heart rate, and this post and subsequent pings.
That's the choice by user, there is literally checkbox to encrypt it.
But is it then also stored encrypted in the local storage?
Yes, it doesn't send keys to server, just in local browser encrypted.
Localstorage generally same safety as your device, they are bound to website you visit only (in this case hivesigner.com), unless someone injects xss code into hivesigner website/codebase (which is highly unlikely) or install unwanted browser extension (user's choice) stealing from localstorage shouldn't be possible plus if you encrypt it in localstorage that's extra security also.
Thanks for the detailed explanation- so it works as I thought initially! Great!
For some reason, we have missed this post and didn't notice mention. Apologies, any application (web, extension, mobile app) that helps you to sign transaction stores or uses your keys for intended purpose. Security of Hivesigner depends on security of your own device of course, hivesigner doesn't send your keys anywhere in anyway, only keep them in your local browser. Just like Keychain, just like another other direct ways of login. That's why there are different levels of keys so you only use it in trusted and opensource apps to specific operations you need to sign. Working of Hivesigner is slightly different in that you can give posting authority to application once and don't need to use Active, Owner, Master password keys ever again even on Hivesigner itself and you can take away posting authority anytime from any app. In your example, hive.vote it is utilizing posting authority, so you are required to give that authority with your active key, if you know that you just use your active key and can remove your account from Hivesigner that's it. All other keys are used for specific use cases within Hivesigner, memo key or other key login suggests because if you are unsure what key you need, you can try any key until you find one that works. Yes this can be improved but here you are not talking about improvement suggestions.
Hivesigner is opensource and maintained by our team so if you don't trust Ecency team, always do check source code to know what it does with your keys: https://github.com/ecency/hivesigner-ui.
When we have inherited the Hivesigner codebase, we have done extensive review and complete rewrite of most logic, so it is reviewed at least by previous creators and our team.
Deep dive like this should be done on all apps so people know what's doing what. Only be objective about what you find and/or ask team if you have concerns/questions, tell team if you find bugs after all that, release findings along with suggestions.