I think this is a very bad idea. Can we at the very least just change it to a normal link? Why embed a third party application? I can't even tell which version of rocket chat is running, so I can't even tell which exploits have been fixed.
Edit: The link has been changed to a normal link. Well done, Golos!
It's also a problem for novice users who don't realize that their password for rocket chat is different than golos.io. Password managers will automatically fill in their golos.io password because it's on the same domain. This is all very bad.
Thanks for pointing out the potential problem. We will be changing the icon to a link, following the fact that some users, may actually use, in build browser, password managers.
We strongly advice against using a password manager for your Golos password.
BR
https://golos.id/ru--golos/@golos/applikaciya-roket-chat-i-potencialnyi-risk-vzloma
Fixed just like that. I am proud to be on Golos!
I appreciate your efforts in addressing this issue.
I'm a little puzzled by your advice to not use a password manager. What alternatives are you suggesting?
Should I store it in a cleartext file on my desktop for all to see?
It is not a password that you can just memorize. It needs to be stored. It needs to be encrypted. It needs to be wiped from the clipboard after use. Ideally it can be all those things and easy to retrieve. Hence a password manager.
I'm curious what your own choice of password security is.
good to hear that you handled it.
Вольный перевод:
@inertia говорит о том, что приложение чата (rocket chat) расположено в клиенте как embed (Встроенный скрипт) от третьего лица. В теории - если хакнут рокет-чат, то могут получить пароли аккаунтов голоса, так как в логин-форму рокет чата автоматически вставляются ваши данные из хранилища браузера вязанного с доменом golos.io
А неопытный пользователь так вообще вбивает в рокет чат данные аккаунта с голоса, так как полагает, что это один и тот же сервис.
_
On the GOLOS and on the steemit are used powerfull Content Security Policy
https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy
This solves many problems with potential injections, but there is no limit to perfection :)
Our most active developer is @serejandmyself
We also have GIP repo https://github.com/GolosChain/gip
You can create a issue with a description of the problem or with any suggestions for developing the platform
PS
How about colloboration with our @rusteemitblog for translating your content. This can make your posts heard by users in the correct way.
I will look into @rusteemitblog. Thanks for the information.
Yes. I had to look twice. My password manager automatically prompted me to fill in the fields with my Golos username and Golos key.
This is a security risk.
Also notice that, when I first went into the chat.
If users, at large, will ask to take it down. We happily will.
At launch time, we had a big number of users ask us to have a link on the main page to the rocket chat page.
EDIT if there are security issues that may arise, we will check it ASAP and take actions
EDIT 2 It looks like we will change this to a link rather than an embed, a post will follow shortly. Thanks for the "bell"
I understand you might want to seek consensus. Should the security of a users Golos
keys be a consensus decision though?
This is a decision about providing a safe environment to invest money.
Offtopic, and regardless to the issue - I really doubt that those who invest money, use in build password managers. If you do that, you should really think about stopping using your PM for webistes / applications etc that "store" (show / represent) money / tokens of any kind.
So true! Who are these amateurs in charge of this website??
RocketChat Embed on a web-wallet like this is beyond crazy, it is irresponsible to say the least. Unacceptable!