I wasn't going to post this until tomorrow but a certain publication decided to put a spotlight on a service that is using bad practices and I wanted to show why certain business that understand the protocol are unique and not just trying to be only first movers.
Don’t trust apis with your bitcoin private keys! It was brought to our attention that competitors of ours have built in functions to sign transactions for you, as long as you supplied the private key. I will not name them as this would take away from our post. I believe this extremely dangerous and a complete disregard for user’s safety. We take security extremely serious in our api and even if users don’t understand the protocol as well as us, we want to protect them from themselves.
Anytime a private key is exposed and sent over the internet unencrypted or even encrypted, it is dangerous and the private key should be treated as a compromised key. That means it should never be used again for any transactions. If a malicious actor got to that private key they could easily craft a transaction that could be confirmed before your intended transaction. It isn’t worth the risk, we understand that this is easier and probably more attractive but also bad standard practices for bitcoins.
This why I promote cold storage wallets, anytime I talk to anyone looking to use our api. Cold storage wallets are not something users learn about until it is usually too late but we need to change that.
https://apicoin.io/blog/2014/05/01/dont-trust-apis/
