When the LBRYNET is running it's running ( usually ) on the same IP/PORT configurations. Which are default for most users. You can change these by going to the config files of the SDK, but the issue stays.
With a simple JavaScript, any webpage could access a running SDK and therefor access your entire wallet with all the publications. And do something nasty with them. Like, let's say, send all of your LBC to some malicious address.
On the other hand, if there is a wallet on the computer to begin with. Malware that knows about LBRY could copy it over to some malicious people.
Solution?
In the SDK there is a feature of encrypting / decrypting a wallet. I think we have to expose some convenient way of interacting with this feature. And I'm talking here both for Terminal and GTK version. And perhaps other clients as well.
If it is possible to keep the wallet encrypted, this is best to be kept encrypted. If not, at least a switch to encrypt / decrypt should be present with user-set-able password.
# Problem
When the LBRYNET is running it's running ( usually ) on the same IP/PORT configurations. Which are default for most users. You can change these by going to the config files of the SDK, but the issue stays.
With a simple JavaScript, any webpage could access a running SDK and therefor access your entire wallet with all the publications. And do something nasty with them. Like, let's say, send all of your LBC to some malicious address.
On the other hand, if there is a wallet on the computer to begin with. Malware that knows about LBRY could copy it over to some malicious people.
# Solution?
In the SDK there is a feature of encrypting / decrypting a wallet. I think we have to expose some convenient way of interacting with this feature. And I'm talking here both for Terminal and GTK version. And perhaps other clients as well.
If it is possible to keep the wallet encrypted, this is best to be kept encrypted. If not, at least a switch to encrypt / decrypt should be present with user-set-able password.
Problem
When the LBRYNET is running it's running ( usually ) on the same IP/PORT configurations. Which are default for most users. You can change these by going to the config files of the SDK, but the issue stays.
With a simple JavaScript, any webpage could access a running SDK and therefor access your entire wallet with all the publications. And do something nasty with them. Like, let's say, send all of your LBC to some malicious address.
On the other hand, if there is a wallet on the computer to begin with. Malware that knows about LBRY could copy it over to some malicious people.
Solution?
In the SDK there is a feature of encrypting / decrypting a wallet. I think we have to expose some convenient way of interacting with this feature. And I'm talking here both for Terminal and GTK version. And perhaps other clients as well.
If it is possible to keep the wallet encrypted, this is best to be kept encrypted. If not, at least a switch to encrypt / decrypt should be present with user-set-able password.
2d52badc18This fixed the issue in GTK version