Email or username:

Password:

Forgot your password?
wakest's posts Post Back to profile
wakest ⁂

I haven't ever tried to look through a mastodon database dump before, how easy is it to work with? lets say I was an FBI agent looking at the #Kolektiva dump, what sort of things could I do that I couldn't do by just signing up for an account? Looking at any DMs is an obvious one but what are some less obvious things?

1 Jul 2023 at 12:34 | Open on social.wake.st
9 comments
Alexander Bochmann

@liaizon For something like the FBI, cross-checking accounts / email addresses with the data they already have is probably valuable? Then you can go from there and explore the network of accounts those are communicating with. Also identifies possible aliases of kolektiva.social users they already know by by their email address.
Also makes it theoretically possible to take over live accounts on kolektiva.social when the password is crackable and 2FA is off (which I would hope isn't the case for one of their admins / mods)?

In general the DB is pretty easy to work with given basic SQL knowledge - there's no overly convoluted interdependencies in there.

@liaizon For something like the FBI, cross-checking accounts / email addresses with the data they already have is probably valuable? Then you can go from there and explore the network of accounts those are communicating with. Also identifies possible aliases of kolektiva.social users they already know by by their email address.
Also makes it theoretically possible to take over live accounts on kolektiva.social when the password is crackable and 2FA is off (which I would hope isn't the case for one...

1 Jul 2023 at 12:46 | Open on mastodon.infra.de
wakest ⁂

@galaxis oh fuck I didn't think about the taking over of accounts vector, shit that one is extremely bad... I wonder if there is any history if the fbi doing that on other forums they have gotten dumps from.

1 Jul 2023 at 12:51 | Open on social.wake.st
Hypolite Petovan

@galaxis @liaizon With a copy of the database, 2FA is a formality since the server needs to know the 2FA seed to match the provided codes. The seed could be encrypted using the account password but it's unlikely.

In this specific case, strongly salted and hashed passwords is the actual line of defense. 2FA helps the other way around, when the cleartext password has been compromised any other way (phishing, social engineering, brute force) but the 2FA seed is unknown to the attacker.

1 Jul 2023 at 16:13 | Open on friendica.mrpetovan.com
Alexander Bochmann

@hypolite Right, I didn't think about the server having to know the 2FA seeds! I have no idea how those are stored in the DB, but I'll have a look later tonight.
@liaizon

1 Jul 2023 at 16:23 | Open on mastodon.infra.de
Alexander Bochmann

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?

@liaizon

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

1 Jul 2023 at 19:15 | Open on mastodon.infra.de
Accept purpose.

@liaizon network analysis. Who follows who, who boosts, and faves. It would be hard to scrape all of that without being noticed.
And if anyone was using dms to organize, those are not private to the database.

It doesn't sound like this was a target of the raid. But it will give them a clearer view of the movement than the movement has of itself.

It's great intelligence for finding emergent leadership and good targets for turning into informants.

1 Jul 2023 at 12:49 | Open on mastodon.social
wakest ⁂

@laprice following/followers on kolektiva is public by default and available un logged in so that is trivial to scrape without notice. you can view that all from Tor easily. I guess its not already in a nice database format but that vector doesn't seen much different.

1 Jul 2023 at 12:56 | Open on social.wake.st
Accept purpose.

@liaizon having it all in one place enriched with the network of dm contacts would be slightly better than public information. But they probably have all of that through packet tracing anyway.

The longer term threat is that those connections are now recorded in their profiling graph and are available to machine learning efforts and usable by agents with bad agendas. (I.e. Arab teens that they groom into activists for counterterrorism clout)

1 Jul 2023 at 13:11 | Open on mastodon.social
shadow_absorber

@liaizon would be interesting to get to know this too.... just incase things ever get bad

1 Jul 2023 at 17:03 | Open on tech.lgbt
Go Up