@hypolite Right, I didn't think about the server having to know the 2FA seeds! I have no idea how those are stored in the DB, but I'll have a look later tonight. @liaizon
@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.
Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).
So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?
@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.
Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).
Gregory's Server
@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.
Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).
So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?
@liaizon
@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.
Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).