Stealing app private keys on Blockstack

Hi all, some of you that are active in the Telegram group might have seen it passing by. I just released an article detailing ways to steal app private keys through insecure Blockstack apps and ways to prevent it.

Feedback is appreciated and I would also like to take the opportunity to open the discussion of content security in general. These topics were discussed before (1 & 2).


Wow. Did anyone patch their apps before you posted this article? I know you contacted them but, they still have the issues, correct? Some of these apps are the most popular. In my opinion, The app developer should have fixed issues before you disclosed how to accomplish this in such detail. Now I’m afraid to use any app on Blockstack. Am I looking at this wrong?

1 Like

Hi Joseph. Everyone was contacted last week, it should be all fixed.

No reason to be overly concerned in using Blockstack apps. Especially if they are not multi-user or you do not use multi-user features.

Thanks for the reply It is a lot about trust in the app developer and the person you receive data from. Using the new internet extension gives you another layer of security. Using open source apps helps you to see patches like for sigle.

(Single-user apps are those apps that do not request to publish data in your name during the auth flow - unfortunately, this is not so transparent anymore with the new Blockstack connect)

Furthermore, there is work done in particular with collections that allows to revoke private keys (e.g., but still a long way, I would say.

Thanks @friedger. I find you to be one of the best app devs on this platform.

1 Like