πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆ

πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆ

  • 0 Posts
  • 6 Comments
Joined 1Y ago
cake
Cake day: Jun 20, 2023
help-circle
rss
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
1β€’1Y

Thank you for the detailed explanation :)

link
fedilink
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
1β€’1Y

πŸ‘

link
fedilink
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
1β€’1Y

oh i see, they want to delete the secret instead of the active tokens. Yeah now i get what you mean. Seems kinda odd.

link
fedilink
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
0β€’
edit-2
1Y

…that’s what i just said? https://lemmy.dbzer0.com/comment/793036

link
fedilink
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
0β€’
edit-2
1Y

afaik to generate those tokens, you configure a secret in an enviroment variable. You cannot generate tokens from looking at valid tokens within the database. Thus storing active tokens in the database is fine since you can always purge all active tokens as this post has also suggested.

link
fedilink
πŸ…ΏπŸ†„πŸ…½πŸ…²πŸ…· πŸ…΄πŸ…½πŸ…΄πŸ†πŸ…ΆπŸ†ˆtoLemmy Administration@lemmy.mlβ€’Recap of the Lemmy XSS incident & steps for mitigation
link
fedilink
2β€’1Y

How did the hackers get the cookies in the first place? Compromised devices on the clients?

link
fedilink