[resolved in SC3] Steemconnect session doesn't expire even after password change
Project Information
- Repository: https://github.com/steemscript/steemconnect
- Project Name: Steemconnect
https://github.com/steemscript/steemconnect/issues/359
This was an important security issue on login session expiration. Even if a user changs the master password due to a hacking, the existing SC sessions are still valid. The PO acknowledged the bug and the issue is claimed to be resolved in SC3. It seems so, but SC3 is pretty new (still beta), so more tests may be needed.
Expected behavior
For security, existing Steemconnect sessions should be expired when the password has changed .
Actual behavior
Existing Steemconnect sessions are not expired even when the password has changed. More seriously, even a stored login session (after logout) can be used.
How to reproduce
- Login in some site (busy.org) with Steemconnect.
- Change password in other place, e.g., steemitwallet
- Check if the existing Steemconnect session is still valid.
- Browser/App version: Any
- Operating system: Any
Cause
Simply, that use case wasn't considered in the SC2. When the master password changes, SC should expire all existing sessions, but that logic was missing.
Recording Of The Bug
Stored session was valid (successfully logged in when clicked) even after the master password change.
Hi @blockchainstudio, thanks for making this contribution.
Great to see this has been fixed in SC3 by the steemconnect team. I am in shock that this was not initially implemented in SC2. Considering the bulk of apps that use SC to get authorization from the users to upvote or make comment on posts with the posting key on their behalf, it is strange that this was overlooked.
Great catch. I look forward to more of your reports.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Hi @fego, I was also surprised :) Thank you for your review!
Thank you for your review, @fego! Keep up the good work!
Korean: 현재버전의(SC2) 스팀커넥트에 중요한 보안문제가 있는데 (이전에 제가 다른 댓글에서 알려드린 것을 본 분도 계실듯) 이미 로그인된 세션이나 심지어 로그아웃한 상태로 저장되어 있는 세션의 경우 패스워드를 변경하여도 해당 세션들이 유효한 문제가 있습니다.
즉 해킹당해서 패스워드 변경해도 steemconnect 세션만 살아있으면 여전히 사용이 가능한 문제인 것입니다. 실제 이게 가능한 이유가 권한을 위임한 댑계정이 대신해서 권한을 행사하는 구조라서 그렇습니다. 내가 쓴 것 같지만 위임받은 계정이 그 권리를 이용해서 쓴 것이죠.
권한 위임자체는 패스워드를 변경하였다고 해서 바뀌는 것은 아니기 때문에(사실 이 자체는 문제라고 보긴 힘들 것 같습니다. 다 다시 설정하는 것도 번거롭거든요.) 제법 비중있는 버그인데 그나마 다행인 것은 저장된 세션으로 할 수 있는 것은 포스팅권한 뿐이어서 아주 큰 사고로 이어지지는 않습니다.
sc3에서 해결되었다고는 하나 아직 sc3자체가 별로 안쓰여서 좀 더 테스트가 필요할 것 같습니다.
Hi @blockchainstudio!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server
Hey, @blockchainstudio!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!