Create account

2004d · memo
Security risk: my Memo pass is stored in plain text in the browser. Please ENCRYPT local storage and hold the plain text only in SESSION storage (and provide public mode where there's no plaintext).
2 / 15 8
12,657
replied 2003d
As blake said this has been brought up and is fairly standard practice. We are changing our stance on this though and will be removing plaintext passwords from local storage soon. Ty.
5
replied 2002d
Please give me a heads-up when you do so I can make the relevant changes! ✌️
1
Metalbrushes_Tattoo
replied 2002d
This is a good plan
1
replied 2003d
I expressed my concerns with this months ago to @jason when I first started on the app but was told it's standard practice. I'm with you. Session tokens, no plaintext.
4
1,000
replied 2003d
Well, at least we know what is going on. So, your memo $BCH is as secure as your browser. Lose the browser, lose the funds. The more browsers, the bigger the security risk. Right?
2
15,000
replied 2003d
For now yes. We plan to use multiple keys that can recover ID from compromise. The funds would still be lost though.

https://github.com/memocash/mips/blob/master/mip-0003/mip-0003.md
6
1,092
replied 2002d
Generate BIP39 mnemonic, use that as seed to derive m/44'/145'/x' where x' is the service. Forget the root master and use the Memo pass to encrypt the XPRV of this account.
2
6,000
replied 2002d
Love MIP 4 and 5. Keep up the good work!
1
1,000
replied 2002d
If the parent key was never used for memo, and the memo.cash website itself generated child keys, then at configurable threshold sent to parent keys, you could minimize risk.
replied 2003d
Malware can search for it because the data has the same rights as you. Instead of stealing, it'll just post spam from your account. At least that's how I'd exploit it.
2
777
anarchovegan
replied 2003d
Shared to memo topic:
https://memo.cash/post/af8ebc0ff4a9929805855f966796f23934c7366f386ffd0916caa0522df0ae0f
2
Simon Van Gelder
replied 2003d
AFAIK only the PW is local, and signing is done via conjunction of the server key and PW. I think changing your PW would shut-off compromised browsers.
1
Simon Van Gelder
replied 2002d
But if the attacker has the wherewithal to export the private key from within the account, you're out-of-luck for that address.
1
replied 2003d
BIP39 mnemonic should be provided to the user and forgotten. The Memo password should encrypt the XPRV for this specific account and should be unlocked on each session.
1
Simon Van Gelder
replied 2003d
Agreed, but I think Momo made that choice for UX, not so much for security.
1


About Privacy Terms Stats