Steemconnect session is maintained even when password is changed externally

Question

Steemconnect session is maintained even when password is changed externally

Closed this issue 5 years ago · 2 comments

I've changed my master password on Steemit.com, but Steemconnect session was maintained. For instance, I can still use Busy.org (which uses Steemconnect for login session) without re-login. This would be vulnerable when password is actually hacked. All session should be expired with password change.

Answer 1 · 2019-02-23T13:36:23.000Z

https://steemit.com/utopian-io/@blockchainstudio/steemconnect-sessions-should-expire-when-a-password-is-changed

Answer 2 · 2019-05-28T14:14:00.000Z

This is solved on the new version of steemconnect at https://beta.steemconnect.com/ . Access tokens are now created on front-end by signing a message with user Steem account key, if the user change his key the access_token will not be pass the validation anymore on SteemConnect API. Feel free to open another issue if you still having issue.