Console exposes private keys (!) on failed login.

daed / laverna

Attention: Development on Laverna has been moved to a new repository at https://github.com/encryptic-team/encryptic. This repository (as well as the master at laverna/Laverna) should be considered depricated.

https://encryptic.org

Mozilla Public License 2.0

38 stars 0 forks source link

Console exposes private keys (!) on failed login. #9

Closed daed closed 6 years ago

daed commented 6 years ago

Start laverna (master or beta release). Open browser and point to localhost:9000. Make a couple logins. Open the console and type in the username and a wrong password.

Console outputs user profiles, including private key. You still need the passphrase to use them, but that's not good.

daed commented 6 years ago

I'm still familiarizing myself with the codebase. We store user profiles in browser LocalStorage. They're only visible to people on your local computer using your browser (and your browser's profile). Not so bad, though from a security point of view, they should probably be stored in an encrypted format.

daed commented 6 years ago

I removed the console log message that was causing the output. The private keys are passphrase protected, so this is probably "good enough" at least for now.