Email or username:

Password:

Forgot your password?
wakest's posts Post Back to profile
Top-level
Hypolite Petovan

@galaxis @liaizon With a copy of the database, 2FA is a formality since the server needs to know the 2FA seed to match the provided codes. The seed could be encrypted using the account password but it's unlikely.

In this specific case, strongly salted and hashed passwords is the actual line of defense. 2FA helps the other way around, when the cleartext password has been compromised any other way (phishing, social engineering, brute force) but the 2FA seed is unknown to the attacker.

1 Jul 2023 at 16:13 | Wall-to-wall | Open on friendica.mrpetovan.com
2 comments
Alexander Bochmann

@hypolite Right, I didn't think about the server having to know the 2FA seeds! I have no idea how those are stored in the DB, but I'll have a look later tonight.
@liaizon

1 Jul 2023 at 16:23 | Open on mastodon.infra.de
Alexander Bochmann

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?

@liaizon

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

1 Jul 2023 at 19:15 | Open on mastodon.infra.de
Go Up