@hypolite It seems like 2FA seeds (and backup codes)...

@hypolite It seems like 2FA seeds (and backup codes) are encryped in the user database.

Another possible vector are oauth access tokens? I don't know much about oauth, but I see the API access token stored by one of the apps I use verbatim in the Mastodon DB, so I assume knowledge of a token from the oauth_access_tokens table enables direct access to an account (all the other details of which are also in the DB).

So that means an operator who loses control over their Mastodon database should really revoke all API tokens right away... Except if there is some additional safeguard I don't know about?

@liaizon

Like 1 Jul 2023 at 19:15 | Wall-to-wall | Open on mastodon.infra.de