Possible security issue user is never logged out


#1

There’s no option to logout from browser.blockstack.org.
There also doesnt seem to be any timeout after which user is logged out.
A potential risk is someone untrusted gains access to my computer or if I logged in on another untrusted computer.


#2

Users should use the SETTINGS > RESET BROWSER to end their session with a browser. Once a user resets, they will be required to reauthenticate.


#3

Yeah, well that really doesn’t cut it for the average joe.
If we want it to be secure for most people, and if we want DAPPS built on blockstack to be more secure by default. Considering many DAPPS are about crypto where potential financial loses are involved.

Why isn’t local data at least encrypted with a password? erasing doesn’t make sense.
It should be like my password extension, logout after X hours and require password to reenable.


#5

Just wanted to chime in here :slight_smile:

Why isn’t local data at least encrypted with a password? erasing doesn’t make sense.
It should be like my password extension, logout after X hours and require password to reenable.

Local data is encrypted. The seed phrase that is the root of your account is always stored encrypted. Other data, eg username etc is stored not encrypted.

I appreciate your feedback. We’ve had many talks internally about the work we want to do on the browser to improve the overall ux. This is one of the things we’d like to fix :slight_smile:


#6

Still the infinite logged in is dangerous. It allows easy login for an attacker to all other DAPPS