56
I'm going to assume the admins here all have 2FA on their accounts, right? (lemmy.ml)
submitted 1 year ago by tryagain@lemmy.ml to c/meta@lemmy.ml
26 comments fedilink hide all child comments

Right guys?

you are viewing a single comment's thread
view the rest of the comments
[-] Mic_Check_One_Two@reddthat.com 24 points 1 year ago

Yup. Changing your password or 2FA wouldn’t help here, because they’re not actually logging into your account. Rather, they’re simply telling the server that they’re already logged in, using your auth token as proof. You know that little “Keep me logged in” checkbox that everyone clicks when they log in? That stores an auth token on your browser, which is tied to your account.

The next time the browser starts a session on the site, it sends that auth token instead of going through the regular login process. And since the site knows that auth token belongs to your account, it logs you in automatically without needing to go through the regular login process.

So basically, they’re stealing a cookie from your browser, with your name on it. Then they’re able to tell the server that they’re you, by presenting that cookie as proof.

Proper procedure should be to deauthorize any auth tokens when you change your password. But even big sites get lazy about this sometimes, so it may not be the default. If this is the case for Lemmy, even changing your password won’t help because it doesn’t automatically deauth that token.

[-] spiderplant@infosec.pub 3 points 1 year ago

Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!

[-] TheSaneWriter@lemm.ee 3 points 1 year ago

The servers should theoretically have a way to murder the tokens, but I'm not sure how Lemmy has implemented authentication so I don't know for sure.

[-] spiderplant@infosec.pub 3 points 1 year ago

Looks like you're right, admins will just need to update the JWT secret.

[-] TheSaneWriter@lemm.ee 1 points 1 year ago

That makes sense. Of course, updating the secret will log everyone out, but that's a small price to pay to fix an admin breach.

load more comments (1 replies)
load more comments (6 replies)
this post was submitted on 10 Jul 2023
56 points (96.7% liked)

lemmy.ml meta

1406 readers
1 users here now

Anything about the lemmy.ml instance and its moderation.

For discussion about the Lemmy software project, go to !lemmy@lemmy.ml.

founded 3 years ago
MODERATORS
nutomic@lemmy.ml