skleven Posted April 14, 2023 #1 Posted April 14, 2023 I have been thinking about the security of players at Stake lately. Main reason is that you are NEVER automaticly logged out of your account. This is an indication of a session token that never expires. If this is the case, such a token in the wrong hands will give access to your account without the need for any password or 2fa. Or even your username. This is how Linus Tech Tips got hacked on YouTube a few weeks back. Most other sites you are logged out of you leave the site even for a short period of time. But on Stake, you are always logged in.
Subzero Posted April 14, 2023 #2 Posted April 14, 2023 This is mostly done by using vulnerabilities in browsers or browser addons. Best practice, you get a notification, as soon as a new device/new ip trying to login to your account and therefore should trigger 2FA. I don‘t know how stake has implemented the token, but if best practice, then we should be safe General Tipps: - keep browser and OS up to date - enable 2FA (withdrawal/tip not possible without 2FA) - never use public wifi to login or access accounts - do not use free vpn -> go with a trustworthy service if needed - use password manager - change password every 1-3months - enable 2FA on Mailaccount
Zamia2001 Posted April 14, 2023 #3 Posted April 14, 2023 22 minutes ago, skleven said: I have been thinking about the security of players at Stake lately. Main reason is that you are NEVER automaticly logged out of your account. This is an indication of a session token that never expires. If this is the case, such a token in the wrong hands will give access to your account without the need for any password or 2fa. Or even your username. This is how Linus Tech Tips got hacked on YouTube a few weeks back. Most other sites you are logged out of you leave the site even for a short period of time. But on Stake, you are always logged in. Yes that's true
skleven Posted April 14, 2023 Author #4 Posted April 14, 2023 25 minutes ago, Subzero said: This is mostly done by using vulnerabilities in browsers or browser addons. Best practice, you get a notification, as soon as a new device/new ip trying to login to your account and therefore should trigger 2FA. I don‘t know how stake has implemented the token, but if best practice, then we should be safe General Tipps: - keep browser and OS up to date - enable 2FA (withdrawal/tip not possible without 2FA) - never use public wifi to login or access accounts - do not use free vpn -> go with a trustworthy service if needed - use password manager - change password every 1-3months - enable 2FA on Mailaccount None of the above wil prevent such an attack. You basicly just continiue the same session on another device. But ofc some of this prevents sending out funds, but none of them prevents sending the whole balance on a 1% bet. Nothing is 100% secure. But just logging out after a visit is most likely the safe way to go.
SatryBaal Posted April 15, 2023 #5 Posted April 15, 2023 20 hours ago, skleven said: I have been thinking about the security of players at Stake lately. Main reason is that you are NEVER automaticly logged out of your account. This is an indication of a session token that never expires. If this is the case, such a token in the wrong hands will give access to your account without the need for any password or 2fa. Or even your username. This is how Linus Tech Tips got hacked on YouTube a few weeks back. Most other sites you are logged out of you leave the site even for a short period of time. But on Stake, you are always logged in. Even if they don't expire there is no need to sweat over it. It works in the form of a triangle in which information is exchanged from each of the three angles (3 people, illustrated as P), but information can't flow from P1 to P3(or P3->P1) without passing through P2, which funnels data. In the backend these tokens are encrypted when they are generated. So all in all, just with the tokens, nothing happens.
Featured Comment
Archived
This topic is now archived and is closed to further replies.