Token Security Vulnerability

I think the security of microStudio could be improved a lot, because currently it's super easy to get a user token out of localStorage. Also, these user tokens last forever, so anyone who gets one could easily hack someone else's account.

Someone who's experienced in coding could make a malicious bookmarklet or browser extension that sends this token to their own server.

Ideas to fix

  • Shorten the lifetime of user tokens
  • Move the token out of localStorage and into the cookies, with httpOnly set.

You are making valid suggestions to improve security (limiting tokens lifetime, using cookies with httpOnly) and I will look into it.

I want to clarify things though, as you make it sound like there is a huge vulnerability here, but there is not. Stealing someone's token would require that you can inject your own JavaScript in their browser view of the microStudio editor. If you can do that, you can also read the user's emails, bank account or anything the user is browsing. Thus a key takeaway is this: don't install malicious bookmarklets or malicious browser extensions.

Just to clarify further: microStudio projects are run on a separate domain, thus the localStorage of the microStudio editor is not accessible from executed microStudio projects.

Yes, I agree. My best friend, who is also on microStudio, told me to send him a code (I knew what he was doing). Sure enough, he signed right in to my account (without malicious intent). So, yeah, it's a problem. I don't really care too much about it though.

lol I just realized that this is my friend's post

Post a reply



Validate your e-mail address to participate in the community