Token Security Vulnerability
I think the security of microStudio could be improved a lot, because currently it's super easy to get a user token out of
localStorage. Also, these user tokens last forever, so anyone who gets one could easily hack someone else's account.
Someone who's experienced in coding could make a malicious bookmarklet or browser extension that sends this token to their own server.
Ideas to fix
- Shorten the lifetime of user tokens
- Move the token out of
localStorage and into the cookies, with
You are making valid suggestions to improve security (limiting tokens lifetime, using cookies with httpOnly) and I will look into it.
Just to clarify further: microStudio projects are run on a separate domain, thus the localStorage of the microStudio editor is not accessible from executed microStudio projects.
Yes, I agree. My best friend, who is also on microStudio, told me to send him a code (I knew what he was doing). Sure enough, he signed right in to my account (without malicious intent). So, yeah, it's a problem. I don't really care too much about it though.
lol I just realized that this is my friend's post