cantevencode

joined 1 year ago
[–] cantevencode 26 points 1 year ago

Prior to the JWT secret being rotated, yes, they could have authenticated as you. The tokens are now all invalid and useless

[–] cantevencode 13 points 1 year ago (5 children)

Does an admin account have any permissions to view email addresses or data of registered users?

Did MichelleG not have 2FA enabled?

Now that this has happened, it's be worth pushing this issue through as high priority. If HttpOnly was enabled, then an admin takeover would not have been possible.

https://github.com/LemmyNet/lemmy-ui/issues/1252

[–] cantevencode 14 points 1 year ago (1 children)

Petition to change the lemmy.world logo to Lenny

view more: ‹ prev next ›