@pharesim: Do you know how the steemit.com website stores our private keys in memory? Are they using any form of local storage, or is it just held in a global variable that survives across all the events?
You are viewing a single comment's thread from:
I'm a backend developer, but AFAIK we use local storage to serve the posting key. When active/owner keys are needed (e.g. for transfers or markets), the user's asked for their password, which is used to re-derive the key. The active/owner keys themselves are never stored. (This was a recent change implemented as part of the response to the attack ~3 weeks ago.)
Thanks for the response. I'm just concerned about moving forward with this strategy (holding key in local storage) because I have read a good deal that this approach is vulnerable to XSS attacks.
Is there way to sign transaction without user's password but only private key of posting/active/owner, etc ? Thanks!
No, didn't check that yet. Only the conversion parts.
What I found with a quick search was https://github.com/steemit/steemit.com/blob/master/app/components/modules/LoginForm.jsx#L64 - there's the "stay logged in" in local storage as far as I understand. Didn't find the credentials though...