Right guys?
I think they’re stealing auth tokens, not sure if 2fa would help. It looks like there may be a vulnerability in the markdown editor and being able to insert JavaScript. The JS being able to access your cookies to share them is the second issue.
Yup. Changing your password or 2FA wouldn’t help here, because they’re not actually logging into your account. Rather, they’re simply telling the server that they’re already logged in, using your auth token as proof. You know that little “Keep me logged in” checkbox that everyone clicks when they log in? That stores an auth token on your browser, which is tied to your account.
The next time the browser starts a session on the site, it sends that auth token instead of going through the regular login process. And since the site knows that auth token belongs to your account, it logs you in automatically without needing to go through the regular login process.
So basically, they’re stealing a cookie from your browser, with your name on it. Then they’re able to tell the server that they’re you, by presenting that cookie as proof.
Proper procedure should be to deauthorize any auth tokens when you change your password. But even big sites get lazy about this sometimes, so it may not be the default. If this is the case for Lemmy, even changing your password won’t help because it doesn’t automatically deauth that token.
Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!
The servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.
Looks like you’re right, admins will just need to update the JWT secret.
Thank you both for explaining that so clearly :)
Also yikes.
Once a token is issued it is valid until it experies. There is no way to disable a token short of changing the secret used to sign them which would invalidate all existing tokens for all users.
That’s bad design because you can bind a user token to a per-account value which can be rotated to deprecate tokens
please say yes 😭
Weak mindset. I prefer setting my password to ‘password’ and leaving the rest up to god
1234‽ That’s the combo on my luggage!
Yeap, that is the first thing you do for any privileged account.
It doesn’t matter if they are directly stealing cookies though.
Hmm, that is the reason you should have addons in your browser to prevent XSS, like uBlock.
uBlock prevents XSS? I didn’t know that.
It blocks bunch of JS from being executed, and if it detects XSS, it gives you a popup to inform you.
Are you thinking of NoScript? That’s what gives me the XSS popups.
Ah, you are correct, My coffee hasn’t kicked in yet.
Custom emojis in passwords are now mandatory
🤞