- Repository: https://github.com/steemscript/steemconnect
- Project Name: Steemconnect
This was an important security issue on login session expiration. Even if a user changs the master password due to a hacking, the existing SC sessions are still valid. The PO acknowledged the bug and the issue is claimed to be resolved in SC3. It seems so, but SC3 is pretty new (still beta), so more tests may be needed.
For security, existing Steemconnect sessions should be expired when the password has changed .
Existing Steemconnect sessions are not expired even when the password has changed. More seriously, even a stored login session (after logout) can be used.
How to reproduce
- Login in some site (busy.org) with Steemconnect.
- Change password in other place, e.g., steemitwallet
- Check if the existing Steemconnect session is still valid.
- Browser/App version: Any
- Operating system: Any
Simply, that use case wasn't considered in the SC2. When the master password changes, SC should expire all existing sessions, but that logic was missing.
Recording Of The Bug
Stored session was valid (successfully logged in when clicked) even after the master password change.