![](https://steemitimages.com/DQmfPrk8nWEvSZHBUJGpqzAbQGprTzkJ1smGzzoQNP2RC3C/image.png)
[(image source modified)](https://media.coindesk.com/uploads/2014/12/shutterstock_164975852.jpg)

Hi all,
recently on twitter, [Vitalik](https://twitter.com/VitalikButerin) and others dumped the big news about a website called: http://directory.io

![](https://steemitimages.com/DQmZdk66jQXcAGQhQKfseXQoFZesX4gudkSgm48wMn8zqFv/image.png)

This is a website that generates on __FLY__ and via a single page, 128 private keys and their corresponding public address. You can then select ANY private key by selecting one of the __904625697166532776746648320380374280100293470930272690489102837043110636675__ pages (each with 128 private keys). 

__DON'T FREAK OUT!!!__ It's statistically impossible for you to write down all these keys (or try to search for a whale address) and create some sort of AI that will tell you which ones have above 0 amount of Bitcoin.

But I must confess the guy/lady is a genius mind! You can even click on the public key, and it reverts you to the explorer! Check the page FAQ [here](http://directory.io/faq).

## Why is it so fun and dangerous?
This is an hilarious prank/joke/fun (whatever you want to call it), but is also a very dangerous "phishing" tool for newbies... WHY?
Well, the website developer allows you to call something that is explained on the FAQ page above, that can generate the page where your private key is via a web link, hence telling you the respective public key too!

The author, is even more sarcastic by naming that function/page/link a special name: __"/warning:understand-how-this-works!/:private_key"__

At first sight it does not look that there is a problem here, but think TWICE! - or you can get hacked!

---
## We are talking about a PRIVATE KEY!!!
It's the key that can access you wallet and this one is not encrypted.

## You should NEVER allow people to SEE your private key!
But the link requires it, if you want to search for your private key. Then a thought motivated by the false idea that __"you want to be certain, your private key is not listed on that website",__ which it is (because they are generated on fly, but only 128 at once, therefore is quick), leads you to the temptation of using the webpage link with it!

__Example__ (I used the first key on the website, from someone that is already burned for sure):
http://directory.io/warning:understand-how-this-works!/5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAnchuDf

Once you use the above link, which is __HTTP__, you will send an __HTTP GET__ to [__directory.io__](https://www.whois.com/whois/directory.io) server (which in this case is a cloudflare protected host). This goes un-encrypted over the network, plus potentially gets logged into the server itself!

---
*__So, basically anyone spoofing the network or the server owner itself, can just pick up requests to private keys and make a script to check if the total balance of the respective public key is greater than 0. If so, then execute a rescan of a blockchain including the target private key, and then execute a transaction to clean the balance. Done! You get hacked and it's your OWN fault!__*

---

So, please, be extreme CAUTIOUS when using a private key, and read or ask several people the same question until your level of understanding plays a good average on the responses you get. Asking never hurts right?