Then guess it good she reset her keys, I will have a look at the link myself seems interesting but off the top my head I think at some point you still doing the approval and in that signature and URL should always be the actual transaction info? if putting keys into that site direct though definitely can see them storing it, why not, and since ecency does not give new users their keys and just lets them use their master that is also pretty scary since mainly I think they will get hit with odd "login" "approval" behaviour and just submit without thinking. I will give it a look to understand the flow better myself. As was initially explained to me it seemed a simple oh look there is a popup thingy from an unknown domain.