'Blockstack core API password' in browser history?

Hi, just getting things set up here on Linux. Very excited about the project. I downloaded the install script, and started up the browser successfully.
But, was surprised to find that the ‘blockstack core API password’ is in the browser history as a plaintext param.

There’s a prior post that says “The API password is shared with a locally-running background daemon and the browser. It never leaves your computer.” That’s not true: Chrome will share your browser history across devices.

I realize the URL with the password is immediately redirected, but…

  • An image or other resource can cause the URL to be passed as a referrer header, putting it in the ISP’s logs

  • If your local machine’s config is weird (for example, the hosts file doesn’t point localhost to, then the password will wind up in the ISP’s logs, since the call isn’t over HTTPS. You don’t have to look far to find broken configs: https://www.google.com/search?q=DNS+localhost+resolution+bugs

  • You don’t know what random browser extensions will do with this URL. It doesn’t have to be an evil extension, just something that incidentally collects your browser history.

I realize it’s early days for blockstack, but since privacy and security are a thing here, might be a good idea to fix this, as it leaves an odd first impression? At least generate a session ID or use a POST request?

1 Like