Possible security issue user is never logged out

#1

There’s no option to logout from browser.blockstack.org.
There also doesnt seem to be any timeout after which user is logged out.
A potential risk is someone untrusted gains access to my computer or if I logged in on another untrusted computer.

1 Like
#2

Users should use the SETTINGS > RESET BROWSER to end their session with a browser. Once a user resets, they will be required to reauthenticate.

1 Like
#3

Yeah, well that really doesn’t cut it for the average joe.
If we want it to be secure for most people, and if we want DAPPS built on blockstack to be more secure by default. Considering many DAPPS are about crypto where potential financial loses are involved.

Why isn’t local data at least encrypted with a password? erasing doesn’t make sense.
It should be like my password extension, logout after X hours and require password to reenable.

1 Like
#5

Just wanted to chime in here :slight_smile:

Why isn’t local data at least encrypted with a password? erasing doesn’t make sense.
It should be like my password extension, logout after X hours and require password to reenable.

Local data is encrypted. The seed phrase that is the root of your account is always stored encrypted. Other data, eg username etc is stored not encrypted.

I appreciate your feedback. We’ve had many talks internally about the work we want to do on the browser to improve the overall ux. This is one of the things we’d like to fix :slight_smile:

1 Like
#6

Still the infinite logged in is dangerous. It allows easy login for an attacker to all other DAPPS

1 Like
#7

It is actually scary to think that the develpment team would design the web application (and cookies I guess) this way. I’m logged into EVERYTHING all the time. This very poor design makes me wonder about the rest of the security for the entire system.

#8

Then I have to recover my account to log back in. Makes people not want to log out. Maybe a pin would help to go from a suspended/timed-out state to a fully valid state.

Now I have to create another password? Why? It never seems to logout anyway?
Then an email address? Why? Send me what I already have? Does it have to be the same email address as the one I used when I first created the ID or key or whatever it is?

#9

One the things the proposal here would address is exactly that problem. Simple ID: Easier Blockstack Feature Survey 📊

Probably not mentioned clear enough in the poll request, but simplified auth, as we plan it, inherently resolves the issue of always being logged in.