This repository has been archived by the owner on Jul 16, 2020. It is now read-only.
Replay attack in account recovery #85
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
For 2.5 minutes a man-in-the-middle could overtake a users account with the same signed message they used to recover it. We should either blacklist timestamps that have been used already, or block account recoveries for more than 2.5 minutes.
The text was updated successfully, but these errors were encountered: