IMPORTANT !!! Vulnerability in password protection for accounts

in #vulnerability5 years ago (edited)

It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account"

I think it's not difficult to do, do not even need to edit the blockchain.

Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook.

I have already told golos.io about this vulnerability and it will be fixed.
I apologize for my bad English, my telegram @dikanevn

@abit @furion I do not know who else to note

Sort:  

Good point.

What do you know. There is an active user behind the flags.

Would you be willing to un-flag my posts please?

afaik, there is an email notification service in development that will address this and other cases.

Thank you for bringing it up.

Hi. I am not sure how to tell if there is a problem. I went to "stolen account recovery". If all is well, what message will I see there?

Thank you

Your Recovery account - steem. All is well. https://steemd.com/@hanshotfirst

Coin Marketplace

STEEM 0.27
TRX 0.07
JST 0.033
BTC 23377.79
ETH 1872.39
USDT 1.00
SBD 3.20