IMPORTANT !!! Vulnerability in password protection for accounts

in #vulnerability4 years ago (edited)

It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account"

I think it's not difficult to do, do not even need to edit the blockchain.

Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook.

I have already told golos.io about this vulnerability and it will be fixed.
I apologize for my bad English, my telegram @dikanevn

@abit @furion I do not know who else to note

Sort:  

Good point.

What do you know. There is an active user behind the flags.

Would you be willing to un-flag my posts please?

afaik, there is an email notification service in development that will address this and other cases.

Thank you for bringing it up.

Hi. I am not sure how to tell if there is a problem. I went to "stolen account recovery". If all is well, what message will I see there?

Thank you

Your Recovery account - steem. All is well. https://steemd.com/@hanshotfirst

A message/alert on Steemit itself, in addition to an email, would be a good measure. I think a lot of people use application-specific email addresses to register on Steemit and probably don't check them often or at all.

Good point.

E-mail is an already archaic technology. What about people that used disposable e-mails? (It turns out that cryptoenthusiasts are also fanatics of never disclosing personal data to anyone).

Perhaps using a signed message from another key could be used (a configurable bitcoin wallet, perhaps?)

To change (whatever), please sign this message with (BTC address; that should also require a signed message to be changed):
"Change the data of my account: TIMESTAMP"