Email or username:

Password:

Forgot your password?
wakest's posts Post Back to profile
Top-level
Alexander Bochmann

@liaizon For something like the FBI, cross-checking accounts / email addresses with the data they already have is probably valuable? Then you can go from there and explore the network of accounts those are communicating with. Also identifies possible aliases of kolektiva.social users they already know by by their email address.
Also makes it theoretically possible to take over live accounts on kolektiva.social when the password is crackable and 2FA is off (which I would hope isn't the case for one of their admins / mods)?

In general the DB is pretty easy to work with given basic SQL knowledge - there's no overly convoluted interdependencies in there.

1 Jul 2023 at 12:46 | Wall-to-wall | Open on mastodon.infra.de
4 comments
wakest ⁂

@galaxis oh fuck I didn't think about the taking over of accounts vector, shit that one is extremely bad... I wonder if there is any history if the fbi doing that on other forums they have gotten dumps from.

1 Jul 2023 at 12:51 | Open on social.wake.st
Hypolite Petovan

@galaxis @liaizon With a copy of the database, 2FA is a formality since the server needs to know the 2FA seed to match the provided codes. The seed could be encrypted using the account password but it's unlikely.

In this specific case, strongly salted and hashed passwords is the actual line of defense. 2FA helps the other way around, when the cleartext password has been compromised any other way (phishing, social engineering, brute force) but the 2FA seed is unknown to the attacker.

1 Jul 2023 at 16:13 | Open on friendica.mrpetovan.com
Alexander Bochmann

@hypolite Right, I didn't think about the server having to know the 2FA seeds! I have no idea how those are stored in the DB, but I'll have a look later tonight.
@liaizon

1 Jul 2023 at 16:23 | Open on mastodon.infra.de
Alexander Bochmann

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?

@liaizon

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

1 Jul 2023 at 19:15 | Open on mastodon.infra.de
Go Up