Brave asking too many permissions to control my Uphold acccount, including transferring from my wallet to other members

  1. Why is Brave asking me permissions to “Transfer funds from your Uphold wallet to other members” - how is it even a thing? Wow. Please explain.

  2. Why “View all your Uphold Money Cards” - do you really need this?

This authorization request is very concerning and suspicious. I’d like to enter my wallet details into Brave settings and that’s all you should ask for= in order to be able to transfer BAT to my custodial account.

It’s because you can tip BATs to creators when you connect to Uphold. Also it’s like a generic page. You try connecting to any other integration, you’ll get a similar page.

Brave only accesses the API to know what passport and nationality you are. This page from Uphold is a generic one and does not actually mean that all this will be shared. @Saoiray could you please clarify more since I’m not totally sure about being correct

No, it certainly does. Otherwise the exact list of permissions being requested would make zero sense.

Also, if other apps misuse Uphold API by requesting more permissions than they need, it cannot work as an excuse for Brave.

I certainly don’t want Brave to have control over my wallets, this is absurd and, what’s worse, is not in line with all the anonymity and safety features Brave team declares in their mission.

Buddy. Brave only sees the passport and your nationality info. They don’t control the wallets. The send money is only for it able to tip people on Brave creators.

You’re contradicting yourself.

It doesn’t control my wallets but it can send money from my wallet. Yes?

Only when you manually tip someone. Or have auto contribute is turned on.

You’re talking about the business logic. This happens AFTER I authorise Brave to transact money from my wallets. But the authorisation is there once given. This has catastrophic security implications if data leaks.

And from the practical point of view, I do not want to tip content creators, so why am I asked to give permissions in the first place.

It is just so wrong from the feature design point of view that it needs no explanation.

Its a basic requirement. Since it is a one time authorisation, it won’t make sense to make you authorize each one separately, does it ?

Well, data leaks are everywhere. Guess what ?
If you don’t wanna connect to Uphold, don’t. No problem. Probably your loss.
This is how it is.
I will tag @SaltyBanana @chriscat in hopes that they can clarify why the authorisation is this way, though.

Making me authorize Brave to send money from my wallet at will is nowhere being a basic requirement.

All Brave needs to send BAT to my wallet is, well, a wallet address, which I should be able to enter into Brave settings. Without even having Brave talk to Uphold APIs.

But if Brave needs some of my personal data for the verification purposes — I’m totally okay with that, but then JUSK ASK FOR THAT and nothing else. Authenticating a user is one thing. Asking for permissions to send money out of their wallet is a totally different thing. It is almost rude to ask me for that level of permission.

Okay, then give me all the private keys from all your wallets, and all passwords from all your accounts; cause data leaks are everywhere and I’ll get it sooner or later anyway? That’s what you’re saying? This is an absurd excuse for not doing things in the right way. I don’t give a … if data leaks are everywhere. I’m simply asking Brave not to force me to give them permissions to transact coins from my wallet in order to get BAT payouts.

You’re not understanding it. They require that so that if by any chance you wanna tip someone you will be able to instantly without having to do verification each time. Anyway, better if we both stop arguing and have @chriscat explain you why this is necessary instead of speculating stuff.

This is because of tipping and auto-contributions.

This is where you can see your BAT balance. So when connected, it can show you how much BAT you have available. Otherwise you’d have to go to in order to view your balance.

They don’t. All this authorizes is when you choose to tip someone from within Brave, it then can pull it out of your Uphold account. Otherwise you’d be unable to tip unless everyone was sharing their wallet addresses and running just strictly P2P through Uphold. At the same time, this also would mean that everyone would also be paying gas fees and a lot of other little things. Not to mention, would also require everyone publicly share their wallet address, which would kind of take away a bit more on anonymity.

I also have to mention, the only thing Brave has access to is your BAT. While the authorization doesn’t specify, there’s nothing built into the API that allows them to access any other funds.

Brave doesn’t have access to anything that would cause any “catastrophic security implications.” Brave has no access to your personal information, they don’t have your seed phrase, password, or anything of the sort. So what are you expecting to be revealed or to happen through a data leak?

As long as the capability is there, permission has to be given. If you don’t, then it’s not usable. If nothing else, you can also consider like how direct deposits work. If there’s an issue where a duplicate payment or something is sent, they get authorization to pull it back out. So if nothing else, this permission would exist for that type of correction. Otherwise you’d authorize deposits but not withdrawals. It’s just, plain and simple, what is necessary if you want to participate. If you’re wanting to be greedy and never tip, then you really aren’t what Rewards was meant for anyway and would likely be better off just turning off Rewards and enjoying the browser for what it is otherwise.

Feature of Rewards was to put Users in the driving seat for determining which Creators to support. In the traditional scheme, you’d be shown tons of ads on every site you visit and those ads would generate revenue for the site. You, the user, would get absolutely nothing except for the bunch of trackers and all placed on your device.

This is where Brave came in and offered a secure browser that would block most ads. You then could participate in Rewards where you’d see their ad notifications that appear in a non-invasive and privacy preserving way. The BAT you’d earn would put you in the driver’s seat for supporting content creators, therefore making up for the loss in revenue they would experience based on you blocking ads.

It never was intended for everyone to “screw over” content creators and just to think of the browser as a second source of income. What you’d end up seeing if everyone went that way is either the death of a lot of content or the transition to strict subscriber base or something. I mean, people don’t create content for free and out of the goodness of their own hearts. It costs money and time to do stuff.

I’m with you anton. I just turned off auto-contribute and the tip buttons yet it has not modified the permissions Brave is asking from Uphold. I just want to it deposit to my custodian account, not withdraw. And I would rather verify each time if I decided I wanted to manually tip.

1 Like

Sounds like gaslighting.

If I grant the permission to withdraw from my wallet, IT DOES have control over my wallet and it can transact at will.

I don’t care if the code in your Brave infrastructure made so it will or will not do these transactions. But once the permission is granted, you technically can do it, and therefore it is absolutely rude to ask me to grant you any permissions like this. Asked by the browser that claims to be pro-security and anonymity.

This is absurd! I hope someone from the developers team who understands what this is doing intervenes and deploys a fix.

This is rude and insulting as well. It is none of your business what people do with their BATs. If you advertise tipping as OPTIONAL, then be 100% accepting of people who don’t want to do any tipping. Saying that this means they are greedy is a personal insult and is disrespectful.

This is absolute nonsense. When people send me bitcoins or any other coins on a blockchain, they don’t need permissions to withdraw from my wallet

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.