Jump to content

Potential Security Risk


Godfather

Recommended Posts

  • Members

Hello all,

 

I think there is a slight security risk when it comes to accounts on mobile. I have authentication activated on my account, and when I login on xats mobile app it doesn't ask me for a code. This is a problem because anyone can just login to someone's account on mobile if they have acquired a victim's password somehow.

 

When logging in moible, xat should ask for your authentication code at least once everytime you login. Why this needs to be added? Well because if your account gets compromised somehow, anyone can just login to that account and steal xats or days and transfer it to themselves.

 

I really hope that this is fixed because accounts with authentication activated are vulnerable on mobile.

Edited by Fury
Link to comment
Share on other sites

  • Advanced Members
13 minutes ago, Fury said:

And what if someone gets access to someone else's email?

 

Spoiler

 

Account Locking - xat.wiki/Account_protection

When you have this option enabled, xat will block any login attempts that are not coming from your home location. You can only log in from your home location, no matter what. To enable this setting, you must be at your home location. If you have moved locations or changed your internet service provider (ISP) since you registered, you will need to request a location update via ticket.

 

 

 

Link to comment
Share on other sites

  • 2 months later...
  • Advanced Members
On 10/21/2018 at 11:20 PM, Leandro said:

Account Locking - xat.wiki/Account_protection

When you have this option enabled, xat will block any login attempts that are not coming from your home location. You can only log in from your home location, no matter what. To enable this setting, you must be at your home location. If you have moved locations or changed your internet service provider (ISP) since you registered, you will need to request a location update via ticket.

What if you wish to login at a different location because of whatever circumstance? The 2FA is there for a reason. In addition, I think the email to confirm your device should be removed from the sign in system and maybe replaced with a "a new device has logged on to your account, see if this is you" type of email because no other site has the need to do this as far as I'm aware. It's ones responsibility to secure a their own account in measures they seem fit, and it's not in the hands of the website to baby you to your security.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.