Security Risks to Brokerage Accounts When Sending Signals
While webhook URLs act like passwords, the risk to brokerage accounts is minimal as TradersPost encrypts API keys and limits permissions to trading only.
A common concern for traders using automated platforms like TradersPost is whether sending signals from services like TradingView poses any security risks to their brokerage accounts. This issue was discussed during a recent office hours session, highlighting the safeguards and potential vulnerabilities.
Security Concerns with Webhook URLs
When using TradingView to send signals to TradersPost, a unique webhook URL is generated. This URL functions similarly to a password, and if someone gains access to it, they could potentially send orders through your TradersPost account. However, they would only be able to place orders tied to a strategy that allows those tickers, meaning there’s no financial gain other than causing disruption .
The primary risk comes from accidentally exposing the webhook URL. If it’s shared publicly or in unsecured channels (e.g., Discord), someone could exploit it to send signals on your behalf. TradersPost mitigates this by allowing you to easily regenerate a new URL, which invalidates the previous one .
API Key Security and Broker Integration
TradersPost integrates with your brokerage using API keys. These keys are encrypted and stored securely, with encryption at rest, minimizing the risk of a breach. Even in the unlikely event of a security failure, attackers wouldn’t be able to withdraw funds or add bank accounts, as TradersPost only has permission to execute trades, cancel orders, and fetch account balances .
Moreover, brokers like TD Ameritrade and Schwab automatically revoke API access if you change your password, adding an extra layer of protection. This feature helps safeguard your account, though it may cause occasional disruptions when users forget their passwords .
Conclusion
While there is a minimal risk associated with exposing webhook URLs, TradersPost has implemented several security features to protect your brokerage account. The system is designed to prevent unauthorized withdrawals or fund transfers, focusing on trading permissions only. Users should treat webhook URLs like passwords and avoid sharing them in unsecured environments.
