|
|
|
|
|
|
by argd678
2503 days ago
|
|
|
The attack here is simply another login on the same machine can get the token. I think that’s how I discovered it, I logged into another account on my machine and Steam logged in using my other account on start up with out asking me to login again. I should also mention the trend towards these Vault services to store secrets is even worse, as that they effectively make all secrets on a machine world readable since an off box service can’t determine what user is making the request. And the trust on first use idea is lacking in most implementations and vendors like HashCorp in fact don’t want to add it anymore since apparently their users had problems using it and would lock their apps out by accident. So... yeah. |
|
|