Print Page - Session key: can it be abused?

Title: Session key: can it be abused?
Post by: LoyceV on September 19, 2019, 07:24:25 PM

If someone gets access to someone else's session key (on Bitcointalk SMF), can that be abused? I've tried to do something with it in a private window, but get this:

Quote

Session verification failed. Please try logging out and back in again, and then try again.

Is this enough to assume there's no risk in leaking a session key, or did I overlook something?

Title: Re: Session key: can it be abused?
Post by: theymos on September 19, 2019, 07:29:45 PM

If someone has your session key, they can try CSRF attacks against you until the key expires. You should keep it secret.

Title: Re: Session key: can it be abused?
Post by: morvillz7z on September 19, 2019, 07:40:23 PM

Hmm, I also got that same exact error at least half a dozen times today trying to edit some of my messages or to quote someone. I recall this being the first time i encounter "Session verification failed". I can also see it being reported multiple times over the years.

Should i be concerned about it and is there anything i can do?

Title: Re: Session key: can it be abused?
Post by: TECSHARE on September 19, 2019, 07:48:45 PM

Quote from: morvillz7z on September 19, 2019, 07:40:23 PM

This is a normal event if you leave a tab open for a long time. No action is needed, just reload the page (from a direct link not a refresh).

Title: Re: Session key: can it be abused?
Post by: LoyceV on September 19, 2019, 08:01:16 PM

Quote from: theymos on September 19, 2019, 07:29:45 PM

You should keep it secret.

Thanks, that's what I thought. I just found out I've been sharing LoyceBot (https://bitcointalk.org/index.php?action=profile;u=949024)'s session keys since April.

I disabled this scraper, then logged out and logged in again. I think I'm good now.

I'll lock this thread soon.

Bitcoin Forum

Other => Meta => Topic started by: LoyceV on September 19, 2019, 07:24:25 PM