that wouldn’t have necessarily stopped this attack I don’t think, but yeah, probably a good idea on multiple levels.

If the separate admin window was open, and a tagged reply or PM was sent to the admin account I think that would render the emote in the notification and trigger the exploit

It used to be in a config file but they moved it to the db so it could be autogenerated on first startup I believe. I guess it’s better than newb instances running around with a jwt secret of “changeme” but still…

Changing password does invalidate tokens, but the rest of that is accurate.

Yes and no. Admin accounts often remain logged in as a practical matter. They can’t see incoming reports, registration applications, etc. if the account isn’t logged in. And there is no “middle tier”/sitemod or customizable permissions allowing for anything between community mod and instance admin that would mitigate the need to use admin accounts day to day.