Jan 20, 17 / Aqu 20, 01 10:15 UTC

[Security] Please stop allowing automated login to your website. This is a security problem.  

When you've received email from Asgardia, you may notice that when you open the URL you will be automatically logged in to your account.

This is VERY BAD and must be stopped. This is a huge security problem. Don't allow user to automatically logged in.

Instead, navigate them to https://asgardia.space/en/login , and let them input THEIR ID AND PASSWORD THEMSELVES. Additionaly, why not support 2FA(HOTP/TOTP/Email One-time password)?

Jan 20, 17 / Aqu 20, 01 12:06 UTC

Set your cookies to clear after each session/browser-close.

Jan 21, 17 / Aqu 21, 01 01:34 UTC

You didn't test it, did you? I work at IT industry and I know what I'm saying.

You are automatically logged in if you click the URL in the email. Try it yourself.

Jan 21, 17 / Aqu 21, 01 04:48 UTC

Mr. Jason, actually I ALEADRY reported this issue several weeks ago but I got ZERO reply about this issue.

Do you really think this is a low priority bug? Evil virus & computer software which collect user's URL can get profile with zero knowledge.

Jan 23, 17 / Aqu 23, 01 22:38 UTC

@idontknowanything, I just tested it and it doesn't behave as you reported. I'm also an IT specialist, for the record.

Authentication is made through cookies of name "id" and "sec", both those cookies are used for authentication.

If you removed them both, go to you email and click on any link, it redirects to the login page, you are not logged.

At first, I thought you were right, until I removed my LastPass auto-login feature for asgardia.space website, maybe you use something similar. That could be a plausible explanation for what you've been experiencing.

Feb 18, 17 / Pis 21, 01 22:25 UTC

You must be joking. Show me your email body, with a full link.

go to you email and click on any link

I think you're misunderstanding. I'm talking about a link with args. "Click here to check your profile" or something.

Since you're a TRANSLATOR, not ADMIN, they MIGHT fixed this issue. Or you're just misunderstanding. I don't know.

Feb 19, 17 / Pis 22, 01 04:58 UTC

Arguments shouldn't matter any, logged in is logged in - as previously mentioned, by cookies.

As for reporting this and other issues, They take your security seriously. Honestly.

Feb 21, 17 / Pis 24, 01 12:10 UTC

In some environments - say a school/college LAN, any sane workplace, internet cafe if they still exist - the user is likely to have restrictive local and group software policies that prevent adjustment of browser behaviours/settings in order to preserve system integrity and network securty.

As convenient as it is for you Ann to be spared the inhumane and unreasonable procedure of confirming you are indeed the expected individual, from a security standpoint it's an incredibly poor practice. Most browsers are capable of storing authentication details in the user's personal space on the applicable system, which can autonomously input such on visiting a site, but it's not common for these to actually be stored in any significantly secure way and neither is most user's space so is not something I would personally advocate. Software like KeePass http://keepass.info/ can securely store multiple passwords for multiple things (and other data) and can even input data for you directly into websites, sanitising the clipboard space when it's done. Use of such software should allow for much more complex passwords with sensible rotation policies whilst decreasing chances of failing login. Once locked to a secure keyphrase(say, your favorite bible verse, shakesperian monologue etc) you can even store copies of it on the interwebs for long term backup and redundancy and it will be of little use to anyone.

Feb 26, 17 / Ari 01, 01 20:21 UTC

@eyeR keepass is not so safe (as all the password managers)

Feb 27, 17 / Ari 02, 01 05:38 UTC

It's not safe?

Speficially, how? What lines of code do you cite?

Feb 27, 17 / Ari 02, 01 12:34 UTC

EyeR don't look the program itself only look the intire system that the progrm runs (+ humman factor)

Feb 27, 17 / Ari 02, 01 13:29 UTC

Used sensibly, it's safe. The user being unsafe isn't a fault of the software. Also running on a compromised system isn't safe, but the system being unsafe doesn't make the software unsafe, it just makes the system unsafe - and by extension any software on there. Such systems should be sensibly isolated from networks and sanitised.

Autonomous login via never expiring cookies does little to address such issues, and when considering the human factor makes it even more unsafe as people generally fail to secure their systems in any significant fashion, resulting in ease of access to things outside that computer.