IMPORTANT !!! Vulnerability in password protection for accounts
It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account"
I think it's not difficult to do, do not even need to edit the blockchain.
Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook.
I have already told golos.io about this vulnerability and it will be fixed.
I apologize for my bad English, my telegram @dikanevn
Good point.
What do you know. There is an active user behind the flags.
Would you be willing to un-flag my posts please?
afaik, there is an email notification service in development that will address this and other cases.
Thank you for bringing it up.
Hi. I am not sure how to tell if there is a problem. I went to "stolen account recovery". If all is well, what message will I see there?
Thank you
Your Recovery account - steem. All is well. https://steemd.com/@hanshotfirst
A message/alert on Steemit itself, in addition to an email, would be a good measure. I think a lot of people use application-specific email addresses to register on Steemit and probably don't check them often or at all.
Good point.
E-mail is an already archaic technology. What about people that used disposable e-mails? (It turns out that cryptoenthusiasts are also fanatics of never disclosing personal data to anyone).
Perhaps using a signed message from another key could be used (a configurable bitcoin wallet, perhaps?)