Skip to content
This repository has been archived by the owner on Aug 15, 2023. It is now read-only.

Seed stored in local storage when I check Remember me #36

Open
ilkamo opened this issue Nov 26, 2020 · 2 comments
Open

Seed stored in local storage when I check Remember me #36

ilkamo opened this issue Nov 26, 2020 · 2 comments

Comments

@ilkamo
Copy link

ilkamo commented Nov 26, 2020

Screenshot 2020-11-26 at 12 34 15

I noticed that when I use the Remember me checkbox, my seed is stored in local storage. Please consider changing it because it is like saving the password in a way that I can clearly see it. Or maybe display a tip/alert when I select Remember me that will inform about the fact that the seed is stored cleary in local storage.
@ilkamo ilkamo changed the title Seed stored in local host when I check Remember me Seed stored in local storage when I check Remember me Nov 26, 2020
@DaWe35
Copy link
Owner

DaWe35 commented Nov 26, 2020

Hi @kamy22, thank you for your time and feedback!

SkyID needs to run in your browser, so we need to store your seed somehow. First, we stored it in a cookie, but the problem with cookies is that it will be sent to the portal (for example siasky.net) and the owner of the portal can steal your seed. That's why I decided to use Local Storage and Session Storage.
Every website stores tokens in cookies, and if I can steal your Gmail token, I can steal your account as well, so I think it is nothing different (okay, the token can be revoked).

Why do you think it is a problem? Do you have any ideas? Would be great to have a discussion about :)

@ilkamo
Copy link
Author

ilkamo commented Nov 26, 2020
edited
Loading

Hi @DaWe35,
it is a really interesting problem.

Why do you think it is a problem?

We had a similar discussion in Skybrain that is why we have still no session system. I decided to report it as an issue because of the fact that token in a cookie or in local storage in an authorisation system with a backend based on servers, it is not a password. It expires, it changes, it can be revoked and it can give you access to a specific resource, not all the data. In modern authorisation systems also tokens are secured. You can't simply copy a token and make it work in a different browser because the fingerprint is different.

Password or seed is something that should never be stored neither in local storage nor in cookies. Having access to a password/seed you can access all the resources the service is based on. In this case, I can access an account and also if the access is revoked I can do it again. What is even more serious, users often use the same password/seed in different services that is why it should be kept in a safe place.

Do you have any ideas? Would be great to have a discussion about :)

It will be great to have a discussion/brainstorming with more people in order to find a secure way to create sessions for portals based on a passphrase. Actually, I have no good solutions. 😔

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ilkamo @DaWe35