Igbot: `secret.txt` remains in the same directory after any script is performed

Created on 20 Jan 2017  路  7Comments  路  Source: ohld/igbot

Frankly speaking, it's too insecure not to delete file with login/password after finishing a session.

bug

All 7 comments

I'll delete secret.txt file after logout.

If the secret.txt is necessary, can we hash it so it's more harmless?

we need a raw username and password to login the app. But i think there is a way to save the session and use it instead of relogin every time we restart the script.

by the way, for multiple account, secret.txt like now more convenience.
so, if we want to use multiple account, just make another folder with remaining script.
but yes, it feel insecure.

Saving session is not safer because it can be stolen. In the end we need either to ask user for password (instagram password, or the one to decrypt encrypted session in some way) or just save it in secret.txt.

I suppose that we need to add some kind of key argument, for example

python instabot script.py

will ask for credentials and won't store them, and

python instabot -s script.py

will save session in some way.

That makes the module safer by default.

Another thought is to use some unique static identifier (CPU model, MAC address or stuff like that) of a machine that runs the module as a encryption/decryption key. It's not the best but clearly better than plaintext.

already fixed

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kantona80 picture kantona80  路  8Comments

santiagobassani96 picture santiagobassani96  路  5Comments

balochlens picture balochlens  路  5Comments

youngkm3 picture youngkm3  路  3Comments

yaniferhaoui picture yaniferhaoui  路  6Comments