HiveSigner is INSECURE? - discussion and deep dive by ecoinstant

View this thread on: hive.blog | peakd.com | ecency.com

hive-139531 · @ecoinstant · 2025-06-25T21:55:18+00:00

$14.34

HiveSigner is INSECURE? - discussion and deep dive

There was some discussion about HiveSigner, and someone said it was "secure". I think its QUITE INSECURE, and I said as much. I got some pushback, which motivated me to make this post - by the way, this is how discussions happen. We can all (probably) agree that discussions are good, so we shouldn't feel bad about disagreeing.

The basic argument is, people who are not quite sure how it works, think its secure, and are sure that anyone saying its not, is spreading disinformation. Like this comment from @tibfox this morning:

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/Eo44qAMA2AvNbbQS7Zex63s7QC5jY26jfzFXmDifG66HvUkwSTjCRT7zYv8BYVDrr8Q.png)

Notice the use of "as far as I know". I am spreading disinformation, because "as far as someone knows", HiveSigner is fine, it must be fine, we are pretty sure its fine, because its still around, and if it wasn't fine, someone would say something.

Except whenever someone says something, we are just assured that "as far as I know", its secure and safe and wonderful.

## Trust me bro

The words "secure", "safe", "valid" - they are adjectives. Technically, they don't mean much, and it might be the case that one part of an app is totally "safe", and another part completely "dangerous". We should probably define our terms, talk about the reality, go through the app - and talk about it. That is what I plan to do today. To go through all the UNSAFE, INSECURE and INVALID parts of HiveSigner that I clearly see - on my screen, right in front of my face, every time I have the displeasure of finding myself interacting with HiveSigner. These things could be fixed, and that would make HiveSigner MORE secure, more safe, and more valid.

So come along with me to "hive.vote", and once we get there - hit "login" and we are taken to this page.

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23wN1su9vaGyJTyA9P7QPy2g5ZMq9Ztmkh2TMsAZ1DNYjcWuA4rD4315vY6pKjJNSpdkW.png)

For security, I have created a new account using our new [account creation tool](https://rc.thecrazygm.com/claim-account), which one of these days I will get around to announcing - I like it because I get to pick my master password, which is fun.

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23uRJEXHnVzy6VcKJJnXpudn6ndjACeCmKQHZb5PYiJVvUySgac7xihhoQHVNpU8ioKa5.png)

Now let's go ahead and use our memo key, some might say this is the least worrisome, or "most secure" key, and it is clearly *recommended* by HiveSigner - and see what happens.

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/EpGX3BoPaBKT3YYw194RXBATu2bt2kdiscT4jacKQMMWHyUzdjpi7Qxm3V5waHMK1T2.png)

It doesn't like the memo key - now it tells me I should use the *master password* or AT LEAST the posting key, whatever that means. Very safe and secure, the instructions have changed half way through. Okay, well, let's try that posting key then. According to the page we are using, HiveSigner just wants to "see our current account username". Super safe and secure experience for users.

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/Eo6SGJLztMetPzzduGqF41XPTLhNSdSEyo9s8xjMyP2XtXeNpPj3EPNZcXQQ9Pb7aww.png)

So we go back to our txt file and copy the private posting key, put it in and we do get to log in to hive.vote. I tested the owner key, it actually does work to log in, as well as the master password. They work to log in with! Just the memo key is a lie, on this page.

So now we are into hive.vote - the only autovoter left in our ecosystem, and we have this wonderful message:

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23u6ZA178ocpTRy5H76TvoBKByqHRhvog4HRCCKDt8EHZmk5cAwmThY3XaUtb33ao8upg.png)

Very cryptic stuff, but this article is not about how hive.vote is garbage, but we must once again use hivesigner to add "posting authority". Now you can do that here https://thecrazygm.com/hivetools/account/authority, if you have Keychain browser extension or Keychain Mobile App, but assuming we don't have that, let's try to use HiveSigner again.

The trick is here, that changing authorities, even posting authorities, is an active key transaction. Let's see what HiveSigner says:

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23viTFEswxqPXiukup7Kd4kWY5ZntajPtsx9Y8PcjgQNiLrsncvafpRhumVRCcT4Djn8W.png)

This was actually a pleasant surprise to me, I believe this has been updated since the last time I raged against this app, but it correctly informs us that we will be required to put in our active key (since we have only logged in with posting key).

While playing around, I also confirmed that if you log in with owner key or master password (probably active key too), it will just let you click authorize. We can assume that these things are "just" stored in our browser cache, since I was able to delete them (which by the way is NOT a secure place to put keys unencrypted, anyone remember the recent Leo fiasco with browser stored keys?), but its also not really a great idea to assume things about key management either.

So now I hit continue and get....

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/EpVHLZTc6eZPAAJwZuZjQTpRdjxBZFiuthSLExyYoyNVS9GLMGLnrX3ctudAEqNVZ6Z.png)

Hmmmm, this is not quite expected, a little unclear, but I guess we need to "Add another account"?

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23wXR5Z9XyTK7Jx9gEuLDG8JZvnTwE1NAo8aaVW2LyJHPzLr94C399wk3FPyd2MKAvw9x.png)

## Welcome back!

And we are back to our good old friend, the "add any key to get scolded" page. Sure, we were told that we would need "at least" the active key (by the way, I don't think four different keys are necessarily in an order, or if there is an order, its somewhat subjective), but once again we are being recommended options including MEMO KEY (which never works for anything) and Posting Key - which we already know is "not enough", and won't work.

So for fun I added my Owner Key, and we are taken back to the option to authorize the app.

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23u6YysaGftHioR9sd5oSPfY75vSLKvsoyasbZESYw5owqze6NXXTbx1WqEtUJtwm6DXn.png)

Once we click authorize, we are quickly flashed a screen that explains we have given posting auth to 'steemauto', and redirected back to Hive.Vote.

I was a little surprised that I could sign authority operations with owner key, but I guess it is possible, so I am learning something today. After all, its THE FIRST recommendation of HiveSigner (but at least it works, unlike many of its other front page instructions).

## What's in the browser?

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/246b57yUVUWXpm4HrQRkQpwzVNJ8vaeN7rLjGMV5uvzDxKoxCJDZBNFMguCPM9Pvfhrcg.png)

So by navigating around in my Opera GX browser, and learning a few things along the way, I was able to find my private Owner key in the Local Browser storage. I am actually not sure how secure this is, so I just asked google, here is what google says:

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/Eo45GghScEasnbh2ee5K2pYz9oFfSHvpQCmDX7iJKsYSxXuLH1BT6tsvGJVDEHohdpT.png)

## Tell me I am a crazy disinformation spreader, but suddenly I don't feel like "trust me bro" "as far as I recall its secure" is a good enough answer; I don't feel safe or secure - in fact, people also ask:

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23tRxJCr5hwAKnKhiN8dLSboLd5Ygfzei6WqxV9U9fQy6MvAiTMtwjf2xSWs6nJ6h2YFi.png)

## @good-karma?

I want to be clear, I like (and "trust") @good-karma, who (as far as I know), is in charge of making sure HiveSigner keeps working, as a legacy piece of software. And he has done that. I don't think he is phishing keys or in any way would host or build something that would actually BE an attack vector. But that doesn't mean that this piece of software he inherited is GOOD, or safe, or secure or valid.

HiveSigner - in my humble opinion - is not only confusing and uncomfortable, based on my deep dive today - seems literally INSECURE, and UNSAFE. Please stop insisting that it is safe and secure because someone told you it was.

And since I did reveal them here, I guess I will go ahead and change my keys now, using our amazing, and actually safe and secure, [best key changer for HIVE](https://keys.thecrazygm.com).

![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23tSt3NZiwDmqNMDW1mjJscVgnVWP8BktKVa5v2HcXAUz3RuYNmkASMZoJxrMZETHgCFK.png)

Go ahead and let me know what you think, in the comments below.

## Freedom and Friendship

👍 stoodkev, steembasicincome, condeas, sbi2, dalz, pakx, steevc, sopel, stayoutoftherz, piotrgrafik, definethedollar, shanibeer, techcoderx, bala41288, vikisecrets, sbi3, hispapro, melibee, miosha, mengao, sbi4, dbooster, dlike, mes, urtrailer, sbi5, gadrian, solairitas, happyskull, pardinus, sbi6, eds-vote, newigennity, cedricguillas, jlsplatts, petrarodriguez, sbi7, antisocialist, likedeeler, eddie-earner, yameen, snook, aafeng, legionsupport, stickupcurator, sbi8, ganjafarmer, pravesh0, shmoogleosukami, mimi.ruby, build-it, sbi9, penguinpablo, splatts, stortebeker, fjworld, vocup, johndoer123, sbi10, dantrin, dailydab, kittykate, holoz0r, bemier, and 379 others
👎 lordnasty

properties (23)

`author`	ecoinstant
`permlink`	hivesigner-is-insecure-discussion-and-deep-dive
`category`	hive-139531
`json_metadata`	{"app":"peakd/2025.6.2","format":"markdown","tags":["hive","dev","development","hivesigner","archon","tribes","leofinance","neoxian","pimp","proofofbrain"],"users":["tibfox","good-karma"],"image":["https://files.peakd.com/file/peakd-hive/ecoinstant/23wN1su9vaGyJTyA9P7QPy2g5ZMq9Ztmkh2TMsAZ1DNYjcWuA4rD4315vY6pKjJNSpdkW.png","https://files.peakd.com/file/peakd-hive/ecoinstant/Eo44qAMA2AvNbbQS7Zex63s7QC5jY26jfzFXmDifG66HvUkwSTjCRT7zYv8BYVDrr8Q.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23uRJEXHnVzy6VcKJJnXpudn6ndjACeCmKQHZb5PYiJVvUySgac7xihhoQHVNpU8ioKa5.png","https://files.peakd.com/file/peakd-hive/ecoinstant/EpGX3BoPaBKT3YYw194RXBATu2bt2kdiscT4jacKQMMWHyUzdjpi7Qxm3V5waHMK1T2.png","https://files.peakd.com/file/peakd-hive/ecoinstant/Eo6SGJLztMetPzzduGqF41XPTLhNSdSEyo9s8xjMyP2XtXeNpPj3EPNZcXQQ9Pb7aww.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23u6ZA178ocpTRy5H76TvoBKByqHRhvog4HRCCKDt8EHZmk5cAwmThY3XaUtb33ao8upg.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23viTFEswxqPXiukup7Kd4kWY5ZntajPtsx9Y8PcjgQNiLrsncvafpRhumVRCcT4Djn8W.png","https://files.peakd.com/file/peakd-hive/ecoinstant/EpVHLZTc6eZPAAJwZuZjQTpRdjxBZFiuthSLExyYoyNVS9GLMGLnrX3ctudAEqNVZ6Z.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23wXR5Z9XyTK7Jx9gEuLDG8JZvnTwE1NAo8aaVW2LyJHPzLr94C399wk3FPyd2MKAvw9x.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23u6YysaGftHioR9sd5oSPfY75vSLKvsoyasbZESYw5owqze6NXXTbx1WqEtUJtwm6DXn.png","https://files.peakd.com/file/peakd-hive/ecoinstant/246b57yUVUWXpm4HrQRkQpwzVNJ8vaeN7rLjGMV5uvzDxKoxCJDZBNFMguCPM9Pvfhrcg.png","https://files.peakd.com/file/peakd-hive/ecoinstant/Eo45GghScEasnbh2ee5K2pYz9oFfSHvpQCmDX7iJKsYSxXuLH1BT6tsvGJVDEHohdpT.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23tRxJCr5hwAKnKhiN8dLSboLd5Ygfzei6WqxV9U9fQy6MvAiTMtwjf2xSWs6nJ6h2YFi.png","https://files.peakd.com/file/peakd-hive/ecoinstant/23tSt3NZiwDmqNMDW1mjJscVgnVWP8BktKVa5v2HcXAUz3RuYNmkASMZoJxrMZETHgCFK.png"]}
`created`	2025-06-25 21:55:18
`last_update`	2025-06-25 21:55:18
`depth`	0
`children`	41
`last_payout`	2025-07-02 21:55:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	7.190 HBD
`curator_payout_value`	7.146 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	8,635
`author_reputation`	868,883,123,304,099
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,568,391
`net_rshares`	49,820,888,790,917
`author_curate_reward`	""

vote details (444)

voter	rshares	pct
steevc	1,531,760,338,350	46%
novacadian	50,365,582,945	100%
penguinpablo	142,468,291,716	14%
holoz0r	100,669,402,094	100%
funnyman	1,535,792,082	5.6%
onezetty	81,613,299,607	100%
ana-maria	86,980,240,704	50%
eforucom	23,079,191,553	100%
gamer00	19,553,261,897	5%
humanearl	2,329,987,266	80%
shermanedwards	719,518,539	50%
borislavzlatanov	25,395,604,291	100%
ganjafarmer	198,401,622,856	100%
freebornsociety	2,879,311,298	5.07%
mes	509,993,400,976	25%
underground	634,356,945	2.37%
enginewitty	99,622,619,105	100%
improv	49,953,763,920	100%
stortebeker	133,432,332,800	50%
artsygoddess	5,527,821,591	50%
joeyarnoldvn	722,965,685	2.27%
st3llar	5,698,658,604	25%
amymya	619,415,101	10%
stayoutoftherz	1,338,081,087,898	10%
pixelfan	51,788,766,682	5.8%
vikisecrets	962,133,551,079	33%
likedeeler	247,082,285,984	100%
enfocate	6,029,946,546	50%
powpow420	1,476,845,652	50%
alexicp	859,554,556	50%
stinawog	3,893,786,377	100%
shanibeer	1,056,651,723,418	35%
weirdheadaches	532,151,023	21.25%
aafeng	219,507,797,832	25%
killerwhale	42,682,036,188	100%
risckylu	1,907,611,212	50%
gray00	917,278,564	100%
stoodkev	9,434,579,980,788	70%
noloafing	3,010,609,908	49.76%
rumplestiltskin	29,708,839,642	100%
artlover	1,793,188,651	100%
roleerob	1,395,815,325	100%
silvergoldbotty	85,837,434,836	100%
omra-sky	76,085,002,726	50%
jlsplatts	299,477,674,263	22.5%
sku77-poprocks	2,615,117,871	100%
steemitcomics	1,497,391,285	100%
nathanpieters	1,020,164,538	50%
silasvogt	977,450,323	50%
stonergirls	818,524,555	100%
dbooster	531,548,092,099	50%
coolguy123	8,251,611,917	3%
snook	224,493,425,096	100%
anomallies	10,384,474,836	100%
eonwarped	75,874,863,032	30%
elisonr13	1,539,040,333	25%
jozefkrichards	10,265,666,997	100%
ubikalo	629,922,838	25%
elderson	4,042,963,211	50%
reciclajeymas	1,821,457,336	50%
sneakyninja	16,906,455,682	24.88%
steembasicincome	2,767,397,661,948	100%
cryptonized	236,503,076	14%
kissi	17,600,166,269	75%
gaborockstar	56,265,750,467	50%
adventuroussoul	2,182,262,179	10%
bala41288	1,021,314,470,623	30%
piotrgrafik	1,093,514,138,419	80%
aagabriel	488,783,121	50%
viking-ventures	661,331,936	20%
bishoppeter1	461,064,066	10%
shmoogleosukami	165,819,838,814	25%
psyborg	11,235,151,514	100%
antdroid	11,547,467,911	100%
neeqi	457,290,745	100%
tonysayers33	13,475,523,604	33%
openmind3000	2,524,081,461	50%
hazem91	9,757,225,113	40%
oredebby	4,747,413,153	20%
anderssinho	6,506,394,892	25%
aperterikk	573,401,577	50%
moeenali	20,410,029,674	1%
condeas	2,450,655,990,648	100%
anikys3reasure	1,708,753,121	50%
katrina-ariel	36,021,039,412	100%
happymichael	2,628,099,079	100%
matschi	6,435,153,062	100%
crowbarmama	4,501,355,138	20%
gabbyg86	22,024,187,636	35%
originalmrspice	13,611,566,620	50%
jorgebgt	15,799,294,435	100%
antisocialist	265,037,143,234	33%
miosha	624,350,497,187	100%
jeronimorubio	10,790,484,742	100%
andablackwidow	70,243,293,144	100%
onepercentbetter	82,577,858,761	50%
d-zero	1,517,343,530	100%
sbi2	1,900,319,832,272	100%
mrchef111	57,815,603,367	25%
sshappydayz	1,012,326,373	80%
yameen	226,768,889,526	50%
darkfuseion	1,146,217,187	100%
gisi	4,453,872,503	10%
juanmanuellopez1	1,672,284,764	40%
awesomegames007	1,264,748,242	50%
gadrian	437,592,007,397	30%
illuminationst8	6,346,716,840	25%
jordangerder	4,679,759,072	25%
xchng	27,932,905,269	80%
manuelmusic	5,023,164,465	30%
dreimaldad	835,859,742	40%
marijo-rm	20,614,703,407	15%
tsnaks	17,606,102,543	100%
brainpod	1,024,532,029	25%
cedricguillas	303,275,175,915	70%
joeytechtalks	1,593,072,748	50%
larryparra	962,809,713	25%
monchhichi23	979,445,469	100%
bajadera	1,656,510,457	25%
sbi3	915,161,089,872	100%
sbi4	584,391,569,557	100%
smacommunity	981,889,973	50%
tronsformer	1,170,916,261	30%
eii	69,490,807,792	100%
netzisde	3,412,197,831	100%
techcoderx	1,052,516,399,092	100%
brettblue	823,413,499	50%
tuisada	13,378,523,151	40%
onelovedtube	15,940,498,293	100%
johndoer123	115,693,125,744	100%
toddmck	2,505,304,093	100%
bububoomt	5,401,775,665	100%
the.rocket.panda	6,335,196,781	100%
sbi5	463,452,951,639	100%
greenunion	1,558,674,022	100%
abgrobert5	506,586,095	20%
sbi6	361,485,554,175	100%
steinz	634,865,378	50%
pardinus	369,598,238,769	81%
melor9	9,773,322,795	50%
icepee	16,114,275,786	50%
bigbos99	583,534,929	100%
dalz	1,794,473,723,969	100%
smartvote	70,581,691,738	3.4%
sbi7	271,730,011,297	100%
dlike	512,926,628,565	100%
arzkyu97	6,795,121,138	20%
teampdx	812,958,074	100%
teamoregon	1,158,857,043	100%
osomar357	6,237,860,685	53%
petrarodriguez	275,762,774,942	50%
definethedollar	1,072,472,213,095	50%
foodfightfriday	33,319,507,420	25%
belkisa758	6,969,442,681	50%
thesummoner	10,908,733,400	100%
lunamoon	49,291,624,142	100%
khaldeesi	48,105,464,029	100%
freyamber	49,811,207,928	100%
canna-collective	24,164,082,312	100%
ganjafarmers	921,649,018	100%
bntcamelo	821,944,652	100%
sbi8	199,526,841,187	100%
kuku-splatts	48,240,035,645	50%
racarjoal	1,440,245,919	25%
piestrikesback	657,258,049	100%
sbi9	142,759,951,575	100%
rosauradels	1,302,834,191	100%
janettyanez	2,209,158,010	10%
esthersanchez	2,679,632,567	50%
darklands	1,358,628,051	50%
maryelin	1,730,589,255	25%
linuxbot	34,404,703,383	100%
chain.games	21,776,109,371	100%
raoufwilly	812,307,486	30%
buildingpies	51,715,291,734	100%
abneagro	11,762,857,628	50%
sbi10	109,312,290,122	100%
letalis-laetitia	1,653,329,339	20%
cowboysblog	3,084,734,285	100%
r-e-d	7,865,817,677	100%
zydane	43,989,549,834	100%
jacuzzi	654,906,611	1.4%
samsemilia7	509,370,492	21%
synergized	2,183,701,894	25%
lord-of-the-d	10,838,675,542	100%
hungrybear	623,889,452	14%
steemforsteem	963,086,437	100%
toonuts	2,269,700,453	100%
twonuts	2,311,836,703	100%
doze	949,043,285	50%
vaporrhino	2,138,475,779	100%
blue.rabbit	17,156,994,428	100%
wenchebakken	48,362,903,389	50%
letlove	2,911,395,094	100%
allied-mafia	8,518,854,837	100%
yonnathang	7,931,414,498	50%
iamangierose	530,608,702	50%
solairitas	376,622,651,587	50%
steemforschool	981,300,272	100%
steemforschools	1,175,318,391	100%
itwasme	1,469,245,516	100%
dachcolony	4,883,055,557	100%
shauner	456,431,896	50%
victartex	1,097,754,158	50%
leighscotford	3,722,232,358	6.9%
zeruxanime	12,452,052,056	50%
kittykate	102,839,375,694	100%
imbartley	460,566,855	15%
spinvest	49,299,774,413	4.75%
x40l1n	44,549,693,286	100%
theblooded	978,953,814	100%
blooded	979,337,580	100%
theclan	2,010,287,212	100%
lrekt01	3,941,153,899	80%
angeltree	2,067,026,811	100%
christmasclub	2,229,627,372	100%
bala-ag	198,646,952	30%
bala-leo	1,134,601,142	30%
capp	14,768,960,351	50%
publicview	23,195,092,448	100%
sbi-tokens	20,597,713,275	49.76%
javikun	659,338,132	50%
kanibot	65,690,840,704	30%
idig	5,235,132,611	12.5%
tokengesture	467,552,709	25%
zulfrontado	6,069,106,950	25%
build-it	149,828,843,435	40%
saravm82	7,621,666,700	50%
mary.janikowski	464,103,698	100%
urtrailer	499,612,852,346	50%
vipservice	533,536,389	100%
anonymousman1	460,787,996	40%
hispapro	911,904,559,506	50%
bilpcoin.pay	546,780,786	10%
qwertm	3,902,026,308	50%
birthdaywishes	998,840,353	100%
splatts	139,952,625,539	25%
sidekicker2	460,250,438	11%
stoodmonsters	34,703,967,779	70%
neoxvoter	2,956,165,907	25%
youdo	2,447,287,917	100%
bi0digital	10,250,888,913	100%
jennyzer	4,494,802,167	50%
wittys.angels	1,025,346,255	100%
wittysangels	1,006,007,324	100%
steem-holder	5,969,323,104	13%
solairibot	58,464,302,190	50%
hive-134220	38,416,137,610	100%
zeusflatsak	16,104,932,969	100%
hive-189742	46,535,118,582	100%
kiemis	9,086,623,599	2.5%
graciadegenios	1,091,412,260	50%
georgelys	6,757,316,911	50%
lqch	1,549,556,584	25%
lespecial17	565,601,699	25%
dannewton	12,814,300,233	2%
newigennity	321,948,101,053	100%
w-splatts	49,269,001,039	50%
jilt	974,558,882	2.5%
earthsea	715,851,791	2%
carmenm20	779,319,853	25%
issymarie2	15,759,138,579	25%
martial.media	5,550,775,612	100%
angiel	24,282,889,520	100%
sassafrass	3,494,253,531	100%
edfer18	9,055,014,356	50%
eddie-earner	232,649,675,101	4.75%
enyusael	1,942,442,808	25%
evagavilan2	16,708,892,280	25%
jesuspsoto	1,661,560,859	50%
apeboy	1,120,899,896	25%
bellelynn	1,486,026,118	100%
yayogerardo	609,028,267	33%
jesustiano	10,927,359,142	40%
curatorcat.pal	27,805,956,543	100%
dr460n3y3	4,685,933,484	100%
b34w0lf	13,009,282,656	100%
alvarezjessica	7,745,422,846	50%
emsenn0	1,994,968,178	10%
mythix	44,061,915,332	50%
cryptoniusrex	41,712,617,489	100%
hexagono6	3,573,196,779	25%
timmy-turnip	2,662,359,629	50%
ichheilee	19,672,355,639	100%
caribayarte	4,369,221,337	50%
yeidelyt	1,902,496,508	50%
ele.art	1,117,911,666	50%
mythix.market	38,454,318,339	50%
luisestaba23	482,792,848	50%
brujita18	9,275,550,557	22.5%
dividendencheck	12,800,785,236	100%
krrizjos18	2,175,299,006	25%
ifarmgirl	25,980,992,461	4%
iegg	1,023,346,548	50%
yenmendt	27,784,091,539	50%
not-here	920,722,889	20%
beysyd	6,178,574,864	25%
ferbu	6,726,626,654	50%
kamaleshwar	4,381,477,351	30%
chandra.shekar	20,869,458,507	30%
kannannv	49,032,941,210	30%
fabianar25	529,702,930	25%
mairimgo23	16,433,572,925	50%
lycan1703	456,004,657	12.5%
mythix.token	23,986,570,298	50%
olympicdragon	455,047,058	100%
iamleicester	510,210,106	80%
miguelstar	636,751,981	50%
torran	23,866,478,810	100%
franvenezuela	1,081,404,611	25%
aequi	7,500,559,609	35%
adulruna	20,632,938,510	100%
tub3r0	767,211,759	10%
logen9f	35,828,063,752	20%
waffleuncle	1,423,462,593	30%
marsupia	823,272,741	26.5%
karla129	1,415,535,108	40%
mimi.ruby	156,451,223,655	70%
alan8a	538,707,558	25%
dstampede	1,763,816,082	100%
eolianpariah2	50,610,665,031	25%
mengao	590,014,992,157	100%
tydynrain	15,293,971,130	10%
mcookies	5,841,109,101	25%
swearingradio	3,158,147,889	75%
rc-assist	21,503,524,594	70%
pompeylad	48,006,590,028	100%
gercripto	2,950,111,391	25%
willkomo	745,813,267	100%
herman-german	7,487,764,359	50%
imoogin3v3rm0r3	2,512,028,656	30%
stickupcurator	208,938,147,709	20%
susurrodmisterio	2,053,528,616	25%
noctury	1,052,484,393	2.5%
hoosie	8,272,842,223	2.5%
condigital	0	11%
blocktunes	1,001,521,542	10%
pravesh0	196,064,742,196	59%
woodathegsd	11,915,662,917	100%
foxlatam	1,919,134,646	50%
mmoonn	1,554,991,057	100%
zuun.net	288,339,154	11%
dd1100	8,706,153,066	100%
dr-animation	1,385,156,099	100%
balaz	51,518,835,525	30%
jerusa777	1,247,434,228	15%
ryosai	24,014,230,608	100%
crisch23	3,630,794,873	25%
boeltermc	6,814,073,541	100%
yennysferm71	5,083,766,217	25%
hurtlocker	84,399,750,654	100%
blesker	501,942,031	50%
tokencav	49,987,668,506	50%
ricardoeloy	490,004,210	12.5%
caelum1infernum	4,525,466,439	20%
aletoalonewolf	2,396,137,905	25%
universodaniel	1,875,610,789	25%
eollarvesm	1,899,458,564	25%
hiversbqto	8,442,128,407	50%
w1tty	6,939,133,607	100%
hispaliterario	1,109,360,431	50%
deggial	1,438,795,908	100%
ifarmgirl-leo	2,219,125,056	15%
seki1	4,184,740,019	100%
gaurav.art	4,736,498,201	47.2%
vocup	124,931,014,838	40%
flywithmarlin	1,927,394,367	25%
zackygamer	3,630,872,019	50%
willendorfia	8,990,531,381	100%
fun.pravesh0	4,823,050,811	59%
fotlala	2,057,253,099	25%
ganjafrmer	14,293,961,496	100%
wearelegion	915,447,150	20%
pof.pimp	1,599,633,187	100%
vetfunding	17,370,757,773	50%
liberius-1	2,780,624,841	50%
kathajimenezr	2,039,063,235	25%
bemier	99,866,286,985	59%
edgardsaxo	3,883,366,460	25%
fjworld	128,136,269,964	100%
eds-vote	344,327,189,060	5%
briefmarken	43,880,577,502	100%
edgarlopz241	4,001,251,373	50%
ruthmarquez	1,202,797,072	50%
dailydab	104,499,547,152	3%
lordnasty	-16,791,381,970	-100%
mariiestefania	5,628,879,964	50%
karina.yana	2,014,327,588	100%
cryptodom151	1,093,697,846	40%
reyn-is-chillin	768,764,737	50%
pimp.curator	628,587,530	100%
nism	37,403,479,928	100%
alto96	971,880,696	20%
ladyaryastark	25,858,469,284	100%
clubvote	1,162,770,960	0.5%
thetradecenter	20,015,711,168	100%
imoog1en3v3rm0r3	1,797,695,665	30%
cumanadigital	536,955,887	50%
ifhy	1,025,715,161	35%
lisbet	890,695,968	50%
dantrin	105,472,081,197	100%
torre-alba	4,645,036,625	50%
shahzaibad	782,813,413	61.8%
coltdelegation	4,529,397,174	50%
lolz.byte	0	100%
dreamtales	863,371,029	3%
spi-store	284,631,078	4.75%
neoxianvoter	10,159,716	11%
djccdigital	1,344,908,808	100%
tecnotronics	9,121,642,707	100%
legionsupport	216,241,334,287	20%
verdeayer	8,699,097,583	50%
dab-vote	34,405,922,774	2.5%
melibee	670,656,773,870	14%
avataroflife	778,465,148	100%
isagutierrez	976,862,214	50%
luisanab	704,630,635	50%
strangedad	1,809,469,010	100%
suisver	1,616,713,575	25%
diannever	478,390,934	100%
pakx	1,554,306,328,297	100%
blemish	2,663,370,530	100%
soundminds	1,267,731,507	46%
almadepoeta	672,756,456	25%
cjrcast	1,406,913,135	50%
yunesyunesarte	604,230,078	12.5%
sopel	1,439,994,505,018	100%
michael561	2,703,959,328	10%
roswelborges	45,016,989,227	100%
blackmiuria	3,820,947,487	100%
votebebi.skull	0	100%
happyskull	372,936,810,796	100%
techstyle	480,203,414	50%
guarenases	10,119,422,069	25%
vocup.pob	3,074,905,098	100%
marpasifico	14,519,037,204	69%
magic.byte	0	100%
sports.power.bot	0	0.01%
cfreitez	9,278,330,421	50%
berlins	14,203,850,471	100%
gerardosahagun	894,677,193	50%
rhoda001	1,917,289,993	100%
marcospioficial	8,450,434,419	50%
vicky-o	0	100%

@anderssinho · 2025-06-26T15:53:42+00:00

$0.22

Isnt this the same issue LeoAuth got a ton a crap about a while ago?

👍 votehero, eturnerx, thefoundation, ecoinstant, msp-makeaminnow, voter002, eturnerx-dbuzz, voter000, tomiscurious, fatman, projectdignity, we-are-palcoin

`author`	anderssinho
`permlink`	re-ecoinstant-syh05g
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 15:53:42
`last_update`	2025-06-26 15:53:42
`depth`	1
`children`	4
`last_payout`	2025-07-03 15:53:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.112 HBD
`curator_payout_value`	0.111 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	71
`author_reputation`	87,305,631,121,776
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,585,644
`net_rshares`	781,420,328,907
`author_curate_reward`	""

properties (23)vote details (12)

voter	rshares	pct
ecoinstant	41,271,094,210	100%
eturnerx	269,751,563,809	20.1%
tomiscurious	26,594,704,480	4.5%
fatman	9,262,062,499	2%
votehero	270,647,650,848	53.3%
msp-makeaminnow	26,963,668,843	28.6%
thefoundation	53,730,396,952	100%
voter002	26,804,724,512	60.9%
voter000	26,746,606,524	53.2%
projectdignity	2,501,827,709	100%
we-are-palcoin	380,510,534	100%
eturnerx-dbuzz	26,765,517,987	69.8%

@ecoinstant · 2025-06-26T16:27:39+00:00

$0.76

I am pretty sure if its not EXACTLY THE SAME, then its like, 99% the same issue 😅

👍 vaultec, anderssinho

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
anderssinho	0 B		2,558,740,180	10%
vaultec	0 B		2,635,395,073,028	100%

@anderssinho · 2025-06-26T16:29:15+00:00

$0.12

@anderssinho "Man khal and team got sooo much crap over that 😅 ..."

Man khal and team got sooo much crap over that 😅
Good that you acknowledge it though because its like you say not that secure 😅

👍 tomiscurious, ecoinstant, msp-makeaminnow, votehero, voter002, we-are-lucky, fatman, we-are-one, msp-foundation

`author`	anderssinho
`permlink`	re-ecoinstant-z4tgm1jr
`category`	hive-139531
`json_metadata`	{"app":"leothreads/0.3","format":"markdown","tags":["leofinance"],"canonical_url":"https://inleo.io/threads/view/anderssinho/re-ecoinstant-z4tgm1jr","isPoll":false,"pollOptions":{},"dimensions":[]}
`created`	2025-06-26 16:29:15
`last_update`	2025-06-26 16:29:15
`depth`	3
`children`	0
`last_payout`	2025-07-03 16:29:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.062 HBD
`curator_payout_value`	0.061 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	128
`author_reputation`	87,305,631,121,776
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,586,648
`net_rshares`	429,504,723,541
`author_curate_reward`	""

properties (23)vote details (9)

voter	rshares	pct
ecoinstant	40,506,464,174	100%
tomiscurious	270,446,891,941	45.7%
fatman	9,262,062,499	2%
votehero	27,102,021,851	5.4%
msp-makeaminnow	27,105,978,126	28.9%
msp-foundation	146,303,649	100%
we-are-one	1,080,984,381	100%
we-are-lucky	26,798,718,441	59.1%
voter002	27,055,298,479	62.2%

@tibfox · 2025-06-27T22:13:33+00:00

Nope they have stored the keys in a cookie. Now they store them in the local storage but other than hivesigner they are encrypted with a pincode. On top of the cookie thing they have sent the private key over the internet at the beginning - thats when the whole thing blew off

properties (22)

`author`	tibfox
`permlink`	re-anderssinho-2025628t01332347z
`category`	hive-139531
`json_metadata`	{"links":[],"type":"comment","tags":["hive-139531"],"app":"ecency/3.3.3-mobile","format":"markdown+html"}
`created`	2025-06-27 22:13:33
`last_update`	2025-06-27 22:13:33
`depth`	2
`children`	1
`last_payout`	2025-07-04 22:13:33
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	276
`author_reputation`	194,035,142,248,693
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,614,279
`net_rshares`	0

@anderssinho · 2025-06-30T05:49:33+00:00

Alright, noted! :)

properties (22)

`author`	anderssinho
`permlink`	re-tibfox-synmun
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.4"}
`created`	2025-06-30 05:49:33
`last_update`	2025-06-30 05:49:33
`depth`	3
`children`	0
`last_payout`	2025-07-07 05:49:33
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	18
`author_reputation`	87,305,631,121,776
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,660,796
`net_rshares`	0

@ecency · 2025-07-09T11:57:00+00:00 (edited)

$0.32

For some reason, we have missed this post and didn't notice mention. Apologies, any application (web, extension, mobile app) that helps you to sign transaction stores or uses your keys for intended purpose. Security of Hivesigner depends on security of your own device of course, hivesigner doesn't send your keys anywhere in anyway, only keep them in your local browser. Just like Keychain, just like another other direct ways of login. That's why there are different levels of keys so you only use it in trusted and opensource apps to specific operations you need to sign. Working of Hivesigner is slightly different in that you can give posting authority to application once and don't need to use Active, Owner, Master password keys ever again even on Hivesigner itself and you can take away posting authority anytime from any app. In your example, hive.vote it is utilizing posting authority, so you are required to give that authority with your active key, if you know that you just use your active key and can remove your account from Hivesigner that's it. All other keys are used for specific use cases within Hivesigner, memo key or other key login suggests because if you are unsure what key you need, you can try any key until you find one that works. Yes this can be improved but here you are not talking about improvement suggestions.

Hivesigner is opensource and maintained by our team so if you don't trust Ecency team, always do check source code to know what it does with your keys: https://github.com/ecency/hivesigner-ui.

When we have inherited the Hivesigner codebase, we have done extensive review and complete rewrite of most logic, so it is reviewed at least by previous creators and our team.

Deep dive like this should be done on all apps so people know what's doing what. Only be objective about what you find and/or ask team if you have concerns/questions, tell team if you find bugs after all that, release findings along with suggestions.

👍 melinda010100, tomiscurious, tibfox, votehero, eturnerx, voter003, ecoinstant, fatman

`author`	ecency
`permlink`	re-ecoinstant-202579t14148475z
`category`	hive-139531
`json_metadata`	{"tags":["hive","dev","development","hivesigner","archon","tribes","leofinance","neoxian","pimp","proofofbrain"],"app":"ecency/4.2.0-vision","format":"markdown+html"}
`created`	2025-07-09 11:14:09
`last_update`	2025-07-09 11:57:00
`depth`	1
`children`	0
`last_payout`	2025-07-16 11:14:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.159 HBD
`curator_payout_value`	0.159 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,969
`author_reputation`	628,550,208,526,238
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,888,765
`net_rshares`	953,177,209,736
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
melinda010100	445,424,628,616	28.9%
ecoinstant	23,394,520,408	100%
eturnerx	26,798,306,092	2%
tomiscurious	269,749,386,682	45.5%
fatman	9,268,162,632	2%
votehero	26,921,732,760	5.4%
tibfox	124,842,687,413	100%
voter003	26,777,785,133	10.1%

@fjworld · 2025-06-26T11:40:54+00:00

$0.12

Ah Thank You for confirming my suspicion. !LOLZ

I looked at HiveSigner when I started on Hive and when I compared it to how KeyChain does security I stuck to KeyChain.

Much appreciated review.

!PIMP

👍 tomiscurious, ecoinstant, votehero, eturnerx, paulmoon410, fatman, peakecoin, dr-animation

`author`	fjworld
`permlink`	re-ecoinstant-sygog7
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 11:40:54
`last_update`	2025-06-26 11:40:54
`depth`	1
`children`	1
`last_payout`	2025-07-03 11:40:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.058 HBD
`curator_payout_value`	0.058 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	201
`author_reputation`	13,636,635,329,449
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,578,494
`net_rshares`	411,193,654,542
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
ecoinstant	45,421,641,308	100%
eturnerx	26,636,160,291	2%
tomiscurious	276,432,835,453	46.9%
fatman	9,262,062,499	2%
votehero	26,796,539,609	5.3%
paulmoon410	24,651,575,012	75%
dr-animation	991,125,191	75%
peakecoin	1,001,715,179	75%

@lolzbot · 2025-06-26T11:45:15+00:00

<div class='pull-right'><center><img src="https://lolztoken.com/lolz.png"><br><a href="https://lolztoken.com">lolztoken.com</a></p><br><br><br><br></center></div><p><center><strong>Why does Humpty Dumpty love autumn?<br>Because he always has a great fall!</strong><br><sub>Credit: <a href="https://peakd.com/@reddit">reddit</a></sub><br>@ecoinstant, I sent you an <a href="https://lolztoken.com">$LOLZ</a> on behalf of fjworld<br><br>(3/10)<br>Farm <strong><a href='https://lolztoken.com'>LOLZ tokens</a></strong> when you <strong><a href='https://peakd.com/hive-155986/@lolztoken/earn-10percent-apr-on-hive-power-delegations-to-the-lolz-project'>Delegate Hive</a> or <a href='https://peakd.com/hive-155986/@lolztoken/introducing-lolz-defi-now-you'>Hive Tokens</a>.</strong><br>Click to delegate: <a href='https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=lolzbot&vesting_shares=10%20HP'>10</a> - <a href='https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=lolzbot&vesting_shares=20%20HP'>20</a> - <a href='https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=lolzbot&vesting_shares=50%20HP'>50</a> - <a href='https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=lolzbot&vesting_shares=100%20HP'>100</a> HP</center></p>

properties (22)

`author`	lolzbot
`permlink`	re-re-ecoinstant-sygog7-20250626t114506z
`category`	hive-139531
`json_metadata`	"{"app": "beem/0.24.19"}"
`created`	2025-06-26 11:45:15
`last_update`	2025-06-26 11:45:15
`depth`	2
`children`	0
`last_payout`	2025-07-03 11:45:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,296
`author_reputation`	196,069,782,190,056
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,578,601
`net_rshares`	0

@hivebuzz · 2025-06-26T07:27:36+00:00

Congratulations @ecoinstant! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

<table><tr><td><img src="https://images.hive.blog/60x70/https://hivebuzz.me/@ecoinstant/payout.png?202506260719"></td><td>You received more than 35000 HP as payout for your posts, comments and curation.<br>Your next payout target is 36000 HP.<br><sub>The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD</sub></td></tr>
</table>

<sub>_You can view your badges on [your board](https://hivebuzz.me/@ecoinstant) and compare yourself to others in the [Ranking](https://hivebuzz.me/ranking)_</sub>
<sub>_If you no longer want to receive notifications, reply to this comment with the word_ `STOP`</sub>

properties (22)

`author`	hivebuzz
`permlink`	notify-1750922856
`category`	hive-139531
`json_metadata`	{"image":["https://hivebuzz.me/notify.t6.png"]}
`created`	2025-06-26 07:27:36
`last_update`	2025-06-26 07:27:36
`depth`	1
`children`	0
`last_payout`	2025-07-03 07:27:36
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	781
`author_reputation`	370,686,196,484,985
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,574,561
`net_rshares`	0

@holoz0r · 2025-06-26T07:22:15+00:00

$0.12

Here's a hot take: People who use autovoters deserve to have their keys compromised :P

👍 eturnerx, ecoinstant, voter002, thefoundation, votehero, fatman

`author`	holoz0r
`permlink`	re-ecoinstant-sygch1
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 07:22:15
`last_update`	2025-06-26 07:22:15
`depth`	1
`children`	0
`last_payout`	2025-07-03 07:22:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.058 HBD
`curator_payout_value`	0.058 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	86
`author_reputation`	546,790,859,012,393
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,574,501
`net_rshares`	411,427,531,297
`author_curate_reward`	""

properties (23)vote details (6)

voter	rshares	pct
ecoinstant	46,215,339,486	100%
eturnerx	274,296,485,573	20.5%
fatman	9,262,062,499	2%
votehero	26,793,691,924	5.3%
thefoundation	27,158,044,312	50.8%
voter002	27,701,907,503	63.7%

@mengao · 2025-06-25T22:12:12+00:00

$0.12

Storing private keys in local storage definitely not secure.

👍 eturnerx, ecoinstant, voter001, msp-makeaminnow, tomiscurious, votehero, fatman, we-are-one, bilpcoinbpc, endhivewatchers, maxuve

`author`	mengao
`permlink`	re-ecoinstant-syfn0a
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-25 22:12:12
`last_update`	2025-06-25 22:12:12
`depth`	1
`children`	4
`last_payout`	2025-07-02 22:12:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.060 HBD
`curator_payout_value`	0.060 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	60
`author_reputation`	114,986,366,551,361
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,568,643
`net_rshares`	427,628,746,898
`author_curate_reward`	""

properties (23)vote details (11)

voter	rshares	pct
ecoinstant	41,179,918,774	100%
eturnerx	268,972,667,427	20.2%
tomiscurious	26,571,391,814	4.6%
fatman	9,261,538,376	2%
votehero	26,269,731,086	5.3%
msp-makeaminnow	26,704,957,974	28.9%
we-are-one	1,075,992,155	100%
voter001	26,705,029,858	28.9%
maxuve	0	100%
bilpcoinbpc	887,519,434	5%
endhivewatchers	0	0.5%

@ecoinstant · 2025-06-25T22:18:48+00:00

In my opinion, the fact that the app encourages Owner key or Master password just makes this worse.

properties (22)

@mengao · 2025-06-25T22:29:12+00:00

$0.12

terrible! hive.vote is probably one the most used services on Hive and doesn't have keychain integration.

great job testing it! I never use hive signer, even though I never did this research, I never trusted it. and it's one of the oldest sign in options still accepted by all frontends?

👍 eturnerx, ecoinstant, msp-makeaminnow, voter002, tomiscurious, votehero, fatman, msp-foundation

`author`	mengao
`permlink`	re-ecoinstant-syfnsm
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2"}
`created`	2025-06-25 22:29:12
`last_update`	2025-06-25 22:29:12
`depth`	3
`children`	1
`last_payout`	2025-07-02 22:29:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.060 HBD
`curator_payout_value`	0.059 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	288
`author_reputation`	114,986,366,551,361
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,568,920
`net_rshares`	425,980,940,486
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
ecoinstant	40,572,904,499	100%
eturnerx	269,736,306,303	20.3%
tomiscurious	26,599,544,579	4.6%
fatman	9,261,538,376	2%
votehero	26,293,553,908	5.3%
msp-makeaminnow	26,695,141,574	29%
msp-foundation	145,384,560	100%
voter002	26,676,566,687	64.5%

1 reply

@pompeylad · 2025-06-27T10:31:24+00:00

$0.13

Hive.vote is as much the problem here by not updating to using Keychain. I've always been dubious of hivesigner but that is shocking, time to sunset it we have a better, easier, safer way now.

👍 tomiscurious, ecoinstant, msp-makeaminnow, votehero, voter002, eturnerx-dbuzz, eturnerx, fatman, promo-mentors, endhivewatchers

`author`	pompeylad
`permlink`	re-ecoinstant-syifw7
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2"}
`created`	2025-06-27 10:31:24
`last_update`	2025-06-27 10:31:24
`depth`	3
`children`	0
`last_payout`	2025-07-04 10:31:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.067 HBD
`curator_payout_value`	0.066 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	192
`author_reputation`	630,592,356,987
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,604,365
`net_rshares`	447,723,909,030
`author_curate_reward`	""

properties (23)vote details (10)

voter	rshares	pct
ecoinstant	35,751,174,794	100%
eturnerx	25,345,244,470	1.9%
tomiscurious	269,538,517,252	45.9%
fatman	9,259,618,906	2%
votehero	26,802,944,784	5.4%
msp-makeaminnow	26,833,523,260	28.8%
promo-mentors	710,919,215	100%
voter002	26,743,333,963	62.4%
eturnerx-dbuzz	26,738,632,386	71.9%
endhivewatchers	0	0.5%

@osomar357 · 2025-06-25T22:20:39+00:00

$0.12

Hola feliz tarde, antes que nada esta muy bueno el post, y creo que en su contenido, demostraste las razones por las cuales dices que es inseguro.
Yo realmente no lo uso mucho, ya que se me hace confuso y con poca información para los usuarios, solo lo use en Hive-vote y creo que un par de veces para apoyar unas propuestas.
Pero, en realidad, demuestras que tienes razón en el planteamiento que realizas con respecto a la seguridad de la aplicación.
También quiero aprovechar, para darte gracias por las dos herramientas que recomiendas, la del cambio de claves y la de creación de cuentas.
Me parece un post, bien informativo, que educa al usuario y le explica de manera simple, algunos datos que no se conocen en el área de seguridad de las aplicaciones.
Lo mismo queda claro, para el resguardo de las claves, ya que hay muchas personas que las usan en el navegador y eso suele ser muy peligroso a la hora de un hackeo.
Me parece muy buena y educativa la información, muchas gracias.

------

Hello happy afternoon, first of all the post is very good, and I think that in its content, you showed the reasons why you say that it is unsafe.
I really don't use it much, since it gets confusing and with little information for users, I only used it in Hive-vote and I think a couple of times to support some proposals.
But, in reality, you prove that you are right in the approach you make regarding the security of the application.
I also want to take this opportunity to thank you for the two tools that you recommend, the password change tool and the account creation tool.
It seems to me a post, very informative, that educates the user and explains in a simple way, some data that are not known in the area of application security.
The same is clear, for the protection of the keys, since there are many people who use them in the browser and that is usually very dangerous at the time of a hack.
I find the information very good and educational, thank you very much.

---

![](https://images.ecency.com/DQmWfDbrdi4kwywjTpaniBy82aPFLoNbwvW9cRdz3F7EVEe/curacion_nueva.gif)

Este post fue votado desde Ecency.

</h3></i></b></div>

!HUESO
!ALIVE

</center>

👍 eturnerx, ecoinstant, eturnerx-dbuzz, voter003, tomiscurious, votehero, fatman, msp-foundation

`author`	osomar357
`permlink`	re-ecoinstant-2025625t182039481z
`category`	hive-139531
`json_metadata`	{"tags":["hive","dev","development","hivesigner","archon","tribes","leofinance","neoxian","pimp","proofofbrain"],"app":"ecency/4.2.0-vision","format":"markdown+html"}
`created`	2025-06-25 22:20:39
`last_update`	2025-06-25 22:20:39
`depth`	1
`children`	1
`last_payout`	2025-07-02 22:20:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.060 HBD
`curator_payout_value`	0.060 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	2,208
`author_reputation`	172,783,694,009,870
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,568,778
`net_rshares`	425,305,310,114
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
ecoinstant	39,768,387,434	100%
eturnerx	270,006,403,124	20.4%
tomiscurious	26,575,784,472	4.6%
fatman	9,258,331,069	2%
votehero	26,267,316,320	5.3%
msp-foundation	141,476,869	100%
voter003	26,602,572,150	11.5%
eturnerx-dbuzz	26,685,038,676	71.9%

@bot-bdbhueso · 2025-06-25T22:20:48+00:00

<center>[![](https://media.discordapp.net/attachments/1024769431500509294/1342589583346503690/1_COMANDO_HUESO_ING.gif?ex=67ba2f7c&is=67b8ddfc&hm=802e08ed8ea13a5048dd02fc5e242e9f04fb7cf4294c6f99db57f3a7f520d91a&=&width=1000&height=188)](https://discord.gg/WdSDtH8GZg)</center>

<center>Uses: 6/18
!LUV</center>

properties (22)

`author`	bot-bdbhueso
`permlink`	re-osomar357-re-ecoinstant-2025625t182039481z-20250625t222047434z
`category`	hive-139531
`json_metadata`	{"app":"hive-bot/0.6.3"}
`created`	2025-06-25 22:20:48
`last_update`	2025-06-25 22:20:48
`depth`	2
`children`	0
`last_payout`	2025-07-02 22:20:48
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	309
`author_reputation`	498,145,470,434
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,568,783
`net_rshares`	0

@pardinus · 2025-06-26T00:06:48+00:00

$0.12

Thanks for the deep dive! I'm not technical savvy security wise, but I never felt that confortable on putting my keys in hivesigner. I would love to have a similar app to hive.vote with decent UX and buffed security... let's see if it comes true one  day!

👍 tomiscurious, ecoinstant, voter001, votehero, eturnerx, fatman, bilpcoinbpc, endhivewatchers

`author`	pardinus
`permlink`	re-ecoinstant-2025626t1648710z
`category`	hive-139531
`json_metadata`	{"links":[],"type":"comment","tags":["hive-139531","hive","dev","development","hivesigner","archon","tribes","leofinance","neoxian","pimp","proofofbrain"],"app":"ecency/3.3.3-mobile","format":"markdown+html"}
`created`	2025-06-26 00:06:48
`last_update`	2025-06-26 00:06:48
`depth`	1
`children`	0
`last_payout`	2025-07-03 00:06:48
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.058 HBD
`curator_payout_value`	0.057 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	255
`author_reputation`	383,534,221,669,637
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,570,260
`net_rshares`	405,949,822,089
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
ecoinstant	40,699,261,029	100%
eturnerx	26,649,805,844	2%
tomiscurious	274,660,876,075	47%
fatman	9,258,402,341	2%
votehero	26,684,172,818	5.3%
voter001	27,109,896,971	28.9%
bilpcoinbpc	887,407,011	5%
endhivewatchers	0	0.5%

@shmoogleosukami · 2025-06-26T10:51:15+00:00

$0.11

I remember hearing talk about making it that at the blockchain level hive nodes will reject transactions that use of keys far above the permissions required. like using owner to sign active key transactions, I'm not sure if it's already in effect though.

One reason HiveSigner asks for the master password is it is a quick way to import all keys since all keys are derived from said password but still I wouldnt even do that. I'd rather take the time to import each one.

Now here's a question.. How does one clear your keys from your local storage if you previously used hivesigner?

Since I hardly use it I'd prefur to not have my keys sitting there potentially insecure.

---

<sup>[I'm a Hive Witness supporting the blockchain, please consider voting for me.](https://vote.hive.uno/@shmoogleosukami) - [find out more here!](https://ureka.social/@shmoogleosukami/shmoogle-osukamis-witness-info-for-prospective-voters)</sup>

👍 tomiscurious, ecoinstant, votehero, eturnerx, fatman

`author`	shmoogleosukami
`permlink`	re-ecoinstant-sygm5d
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 10:51:15
`last_update`	2025-06-26 10:51:15
`depth`	1
`children`	3
`last_payout`	2025-07-03 10:51:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.054 HBD
`curator_payout_value`	0.055 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	927
`author_reputation`	227,684,395,918,816
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,577,348
`net_rshares`	384,217,476,629
`author_curate_reward`	""

properties (23)vote details (5)

voter	rshares	pct
ecoinstant	43,634,365,921	100%
eturnerx	26,628,655,138	2%
tomiscurious	277,952,806,377	47.6%
fatman	9,259,372,348	2%
votehero	26,742,276,845	5.3%

@ecoinstant · 2025-06-26T13:05:15+00:00

$0.53

So I can go to manage site data in this browser, and it allows me to delete it.  

The one thing I didn't test is, if I "save and encrypt", can I still clear it from my local cache?  If not, where does it "go"?  


![image.png](https://files.peakd.com/file/peakd-hive/ecoinstant/23wBeChUGnvn62MVSRhe2cGgy9VsRzL5vwpCiPgH6br9VQ3DAVSpajtNNMpkEncJgZyYk.png)

👍 abrockman

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
abrockman	0 B		1,841,120,826,827	100%

@shmoogleosukami · 2025-06-26T13:48:57+00:00

$0.63

I've noticed something, when not logged into hivesigner, the keys are not in local storage, I assume they are elsewhere encrypted with the password you set up on hivesigner. It's only if you are logged in to hivesigner are they exposed.

So as long as you haven't logged in on a compromised device or browser you 'should' be fine. But this does beg the question I think all extensions can access local storage data if enabled so there is also potential for malicious action there too.

I generally have my browser extensions restricted to certain sites so I'm fine there.

There also is no way to actually sign out of hive-signer except by probably closing the complete browser.

Donno if the local storage is ever accessible besides the site being open in a tab.

You can actually remove accounts from hivesigner via hivesigner which is the best way to go about it I think.

---

<sup>[I'm a Hive Witness supporting the blockchain, please consider voting for me.](https://vote.hive.uno/@shmoogleosukami) - [find out more here!](https://ureka.social/@shmoogleosukami/shmoogle-osukamis-witness-info-for-prospective-voters)</sup>

👍 abrockman, investegg, pompeylad, ecoinstant, thefoundation, voter003, votehero, fatman

`author`	shmoogleosukami
`permlink`	re-ecoinstant-sygudk
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 13:48:57
`last_update`	2025-06-26 13:48:57
`depth`	3
`children`	1
`last_payout`	2025-07-03 13:48:57
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.316 HBD
`curator_payout_value`	0.315 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,127
`author_reputation`	227,684,395,918,816
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,582,098
`net_rshares`	2,178,230,843,740
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
ecoinstant	42,689,929,968	100%
fatman	9,262,062,499	2%
votehero	26,940,944,678	5.3%
investegg	193,111,350,618	100%
abrockman	1,804,352,217,166	100%
thefoundation	27,415,915,863	51%
voter003	27,404,393,433	11.4%
pompeylad	47,054,029,515	100%

1 reply

@sopel · 2025-06-26T11:13:30+00:00

$0.11

Anything in web browser or on mobile phone is not secure for large financial transactions, fortunately in hive we have several keys: active (required for financial transactions) and posting (for blogging like here). Bank mobile apps have limited functionality compared to web browser interface, in web browser it is still required to perform 2FA.

👍 eturnerx, ecoinstant, investegg, votehero, fatman

`author`	sopel
`permlink`	sygn6i
`category`	hive-139531
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2025-06-26 11:13:30
`last_update`	2025-06-26 11:13:30
`depth`	1
`children`	1
`last_payout`	2025-07-03 11:13:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.054 HBD
`curator_payout_value`	0.054 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	346
`author_reputation`	24,082,760,817
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,577,887
`net_rshares`	381,149,981,905
`author_curate_reward`	""

properties (23)vote details (5)

voter	rshares	pct
ecoinstant	44,524,245,855	100%
eturnerx	273,296,832,675	20.5%
fatman	9,255,713,266	2%
votehero	26,770,331,522	5.3%
investegg	27,302,858,587	14.3%

@thedd · 2025-07-23T18:48:51+00:00

My bank app can do more than their webbank. And in the webbank I have to use the app as 2fa.

properties (22)

`author`	thedd
`permlink`	re-sopel-szv898
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.7.3"}
`created`	2025-07-23 18:48:51
`last_update`	2025-07-23 18:48:51
`depth`	2
`children`	0
`last_payout`	2025-07-30 18:48:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	92
`author_reputation`	610,855,738,228
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	144,338,873
`net_rshares`	0

@steevc · 2025-06-26T19:55:54+00:00

$0.12

Any site that asks for a 'master key' seems dodgy to me. They shouldn't need that level of access.

Key security is not an easy problem to solve and so we have to trust the developers for such tools. I would hope that anyone with real concerns can feel free to speak out, but obviously should go to the devs first if there is an immediate risk.

👍 eturnerx, ecoinstant, voter001, votehero, we-are-lucky, eturnerx-dbuzz, fatman

`author`	steevc
`permlink`	re-ecoinstant-syhbd2
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 19:55:54
`last_update`	2025-06-26 19:55:54
`depth`	1
`children`	1
`last_payout`	2025-07-03 19:55:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.062 HBD
`curator_payout_value`	0.061 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	344
`author_reputation`	1,394,291,349,669,101
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,591,679
`net_rshares`	422,936,518,306
`author_curate_reward`	""

properties (23)vote details (7)

voter	rshares	pct
ecoinstant	36,427,772,153	100%
eturnerx	270,284,934,231	20.3%
fatman	9,258,855,011	2%
votehero	26,744,820,973	5.4%
we-are-lucky	26,722,207,496	59.5%
voter001	26,792,934,219	27.7%
eturnerx-dbuzz	26,704,994,223	71.5%

@ecoinstant · 2025-06-26T21:08:27+00:00

$0.03

This is legacy software, as you say (and @techcoderx mentioned) these are tricky issues.

I never made a post before, I just ignored this legacy login method (which was more secure in its day than copy pasting keys).  

But I felt compelled to look into it and make a post when I felt mistreated for not drinking the koolaid and exclaiming that it was the most safe and secure app in the world, which it is not.

👍 steevc

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
steevc	0 B		100,331,260,827	3%

@techcoderx · 2025-06-26T13:09:12+00:00 (edited)

$0.54

The broader issue here is the lack of other installation/hardware-free login options that are user-friendly to newbies, other than another OAuth2 solution (web2 logins) which currently only works on very specific apps and for that app/platform only (i.e. VSC-related transactions [which are signed EVM txs behind the scenes](/vsc/@vsc.network/vsc-and-hive-accounts-explainer), InLeo social logins specifically for that only, just to name a few). These accounts cannot be ported to another Hive app without the user exporting the keys and importing it somewhere else.

All wallet providers supported on Aioha that isn't HiveSigner either requires installing something on user's browser/phone or having a hardware device (only one exists that I strongly [do not recommend](/backdoor/@techcoderx/new-ledger-firmware-opens-up-a-backdoor-to-your-seed-phrase)). The [only FAQ](https://aioha.dev/docs/faq) of adding a "plaintext key" provider ([beekeeper](https://gitlab.syncad.com/hive/hive/-/tree/develop/programs/beekeeper/beekeeper_wasm?ref_type=heads) maybe?) probably won't do much other than safeguarding potential DNS hijacking on hivesigner.com but the same can happen to the app itself.

👍 abrockman, ecoinstant, votehero, eturnerx, fatman

`author`	techcoderx
`permlink`	re-ecoinstant-sygsh2
`category`	hive-139531
`json_metadata`	{"tags":"hive-139531"}
`created`	2025-06-26 13:07:51
`last_update`	2025-06-26 13:09:12
`depth`	1
`children`	0
`last_payout`	2025-07-03 13:07:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.272 HBD
`curator_payout_value`	0.271 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,189
`author_reputation`	47,798,058,051,301
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,580,902
`net_rshares`	1,876,514,753,603
`author_curate_reward`	""

properties (23)vote details (5)

voter	rshares	pct
ecoinstant	43,218,098,779	100%
eturnerx	26,598,059,155	2%
fatman	9,262,062,499	2%
votehero	27,280,902,307	5.4%
abrockman	1,770,155,630,863	100%

@themarkymark · 2025-06-26T22:14:30+00:00

$0.11

You can pre-add the authority through other interfaces like PeakD and Hive.blog.
I believe everything should support keychain, but even that isn't audited.

👍 eturnerx, ecoinstant, voter001, we-are-lucky, votehero, fatman
👎 mmmmkkkk311, ctime, bluesniper, sonntags, mariuszkarowski, csport, tenpik, zeltra, gaskets, labutamol

`author`	themarkymark
`permlink`	re-ecoinstant-syhhs6
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.6.2","image":[],"users":[]}
`created`	2025-06-26 22:14:30
`last_update`	2025-06-26 22:14:30
`depth`	1
`children`	6
`last_payout`	2025-07-03 22:14:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.056 HBD
`curator_payout_value`	0.056 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	155
`author_reputation`	1,780,045,201,740,099
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,593,649
`net_rshares`	389,120,973,465
`author_curate_reward`	""

properties (23)vote details (16)

voter	rshares	pct
ecoinstant	35,605,170,100	100%
eturnerx	270,767,340,050	20.3%
fatman	9,259,243,014	2%
votehero	26,721,073,910	5.4%
mmmmkkkk311	-3,112,616,636	-10%
mariuszkarowski	-295,444,669	-10%
we-are-lucky	26,766,969,340	59.6%
voter001	26,947,817,595	28.1%
bluesniper	-904,639,010	-10%
ctime	-2,214,480,131	-10%
csport	-46,465,119	-10%
gaskets	-5,811,832	-10%
tenpik	-22,712,746	-10%
zeltra	-22,470,529	-10%
sonntags	-321,999,872	-10%
labutamol	0	-10%

@ecency · 2025-07-09T11:34:57+00:00 (edited)

I agree on auditing or more eyes on codebase and what apps are doing by checking their source code if open. Hivesigner is opensource, audited at least by Ecency team and previous creators, anyone still can check codebase. A lot of misinformation will push people using unsecure or closed source solutions which isn't helping.

properties (22)

`author`	ecency
`permlink`	re-themarkymark-202579t143415672z
`category`	hive-139531
`json_metadata`	{"tags":[],"app":"ecency/4.2.0-vision","format":"markdown+html"}
`created`	2025-07-09 11:34:15
`last_update`	2025-07-09 11:34:57
`depth`	2
`children`	1
`last_payout`	2025-07-16 11:34:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	325
`author_reputation`	628,550,208,526,238
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	143,889,394
`net_rshares`	0

@thedd · 2025-07-23T18:59:03+00:00

Audited code is way more secure than closed source or unaudited code. BUT, reviewing a githib repo won't make the app secure! What stops the dev to alter the deployed version of the codebase and add some malicious parts?

 The repo would look nice and shiny but a small change on the real server could be dangerous. So the full review should check the live webserver too. And it wouldn't be bulletproof either as you can swap dns record overnight or add changes after the audit.

properties (22)

`author`	thedd
`permlink`	re-ecency-szv8qc
`category`	hive-139531
`json_metadata`	{"tags":["hive-139531"],"app":"peakd/2025.7.3"}
`created`	2025-07-23 18:59:03
`last_update`	2025-07-23 18:59:03
`depth`	3
`children`	0
`last_payout`	2025-07-30 18:59:03
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	478
`author_reputation`	610,855,738,228
`root_title`	"HiveSigner is INSECURE? - discussion and deep dive"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	144,339,214
`net_rshares`	0

@ecoinstant · 2025-06-26T22:24:15+00:00

Yes, which is probably the most secure way to use HiveSigner!

properties (22)

@ecoinstant · 2025-06-27T13:02:45+00:00

What would an "audit" or auditor do?

Keep an eye on the github repo?
Look for exploits in the live app?
"PenTest" the company itself?

properties (22)

@themarkymark · 2025-06-27T13:04:33+00:00

$0.12

Generally review the code for security issues and/or exploits.  Ideally, regularly, but most are lucky if it is even done once halfassed.

👍 eturnerx, ecoinstant, msp-makeaminnow, voter001, votehero, thefoundation, fatman, bilpcoinbpc
👎 mmmmkkkk311, ctime, bluesniper, sonntags, mariuszkarowski, csport, zeltra, tenpik, gaskets, labutamol, ovlagik

properties (23)vote details (19)

1 reply

@tibfox · 2025-06-28T08:28:12+00:00

$0.10

Because you demanded my response so intensely on discord:

Good post that highlights some of the many things we can call insecure on Hive. It always depends on how you view it and your position is valid for sure. Hivesigner stores the keys in the local storage unencrypted and that's not very secure.

But: Compared to many private key logins or the majority of web2 it is definitely very secure already because your keys will never go over the internet and you dont need to trust a new interface because you do not enter your keys there. Of course private key logins are often implemented that your keys will also not go over the internet but any new interface could be a potential danger: like leo did it one time in the recent past when you login. That was the real big issue - then the storage in a cookie and then they finally made it more secure by putting the keys in local storage encrypted and not sending any key over the internet.

The challenge that hivesigner solves here is that you do not give any user interface your private key in the first place but you probably already knew that.

Regarding the owner key: there are moments you will need to use your owner key. Maybe that's the reason why you can enter it there. Just a thought of mine.

I know there are people working on other solutions here on Hive and that there are 1000x more secure solutions on Hive already: Keychain and HiveAuth.

My favorite is definetely HiveAuth because that works everywhere not only where keychain is installed and is compatible with Keychain. So all you need is a Keychain on your mobile device and the user interface supporting hiveAuth - done.

<hr>
Maybe your criticism would have more value if you shared it with the ecency team instead pinging me (who is not part of the team at all) or good karma (who gets pinged 10x per day probably) in this post only. They have a very active discord and would be pleased to see suggestions for improvements. But instead you decided to use it as a rant / beef show here and on the hive discord server.
<hr>
I am not going into detail how you portrayed me here or on discord but I thought that its important for you that I go over your post and to give me feedback so I did.

My heart rate is at 97 (checking my fitbit right now) because I don't like when people call me names or try to offend me as part of their defense mechanism. But I have learned to reflect myself and my feelings and to work with my emotions - not getting dragged by them or work against them.

I'm not a native speaker (yes I play this card now) so maybe some phrases could come to you in a different way than I've intended them to be. "As far as I know" is a phrase I use when I am pretty sure but too lazy to search for source code lines. Next time I'll do that instead. But a next time between you and me will not happen: I will just read your message, give a reaction emoji and leave it like that because the way you've handled this discussion did not encourage discussion at all. Sounds weird but I need to keep myself out from these kind of shows.

<hr>

I am on Hive for fun and a good time - sharing knowledge and opinions. I will keep doing this - *trust me*.

👍 investegg, ecoinstant, eturnerx, voter003, votehero, fatman, bilpcoinbpc, promo-mentors, bilpcoin.pay

properties (23)vote details (9)

@ecency · 2025-07-09T11:45:15+00:00

> Hivesigner stores the keys in the local storage unencrypted and that's not very secure.

That's the choice by user, there is literally checkbox to encrypt it.

![](https://images.ecency.com/DQmNSWzqNK6n2EmTg7c2QfvWdubSnBYbDZ66CBfMFtW2QgJ/2025_07_09_14_44_05.png)

properties (22)

@tibfox · 2025-07-09T13:08:21+00:00

But is it then also stored encrypted in the local storage?

properties (22)

2 replies

@ecoinstant · 2025-06-28T09:34:45+00:00

Sounds like we agree on a lot of things.  It was definitely when you called me names, that motivated my heart rate, and this post and subsequent pings.

properties (22)

@tydynrain · 2025-06-26T07:44:21+00:00

$0.12

Yeah, that's not good. I try not to use HiveSigner if I can help it, but it's sometimes not an option. This is definitely worrisome. 😁 🙏 💚 ✨ 🤙

👍 eturnerx, ecoinstant, msp-makeaminnow, votehero, we-are-lucky, fatman

properties (23)vote details (6)

voter	rshares	pct
ecoinstant	35,074,139,412	100%
eturnerx	269,985,841,278	20.2%
fatman	9,262,038,766	2%
votehero	26,791,134,874	5.4%
msp-makeaminnow	26,975,800,488	29.1%
mmmmkkkk311	-3,476,917,872	-10%
mariuszkarowski	-340,452,261	-10%
thefoundation	26,765,319,041	50.2%
voter001	26,804,193,740	27.9%
bluesniper	-1,136,928,817	-10%
ctime	-2,497,842,295	-10%
bilpcoinbpc	887,359,124	5%
csport	-57,805,223	-10%
gaskets	-10,776,874	-10%
tenpik	-30,498,682	-10%
zeltra	-30,908,567	-10%
sonntags	-450,942,638	-10%
ovlagik	0	-10%
labutamol	0	-10%

voter	rshares	pct
ecoinstant	34,642,259,039	100%
eturnerx	26,705,251,683	2%
fatman	9,257,111,452	2%
votehero	26,351,285,451	5.2%
investegg	192,283,280,637	100%
promo-mentors	699,097,599	100%
voter003	26,681,592,207	11.3%
bilpcoin.pay	546,521,134	10%
bilpcoinbpc	887,393,959	5%

voter	rshares	pct
ecoinstant	42,675,338,401	100%
eturnerx	276,422,768,778	20.7%
fatman	9,262,062,499	2%
votehero	27,329,875,109	5.4%
msp-makeaminnow	27,408,688,075	29.1%
we-are-lucky	27,235,240,726	60.2%