Alex on Nostr: Btw it's really crazy to me it's not standard practice to hash session tokens. ...
Btw it's really crazy to me it's not standard practice to hash session tokens. Remember when Gab got hit with a major SQL injection vuln and the attacker dumped thousands of OAuth tokens and used them to control famous people's accounts? This can be be prevented by just treating OAuth tokens the same as passwords in the database, lol.
https://www.wired.com/story/gab-hack-data-breach-ddosecrets/ Auth tokens in #Ditto's database are now hashed, and nip46 keys are encrypted: https://gitlab.com/soapbox-pub/ditto/-/merge_requests/526
This means that even if someone gained unauthorized access to the database, they wouldn't be able to control people's sessions. In other words, much better #security on the server.
note1nel…8sq3
Published at
2024-10-03 00:28:34Event JSON
{
"id": "f156e6c033a8ce9cd8994588c0cab437480613452483efe65dd96bab57315000",
"pubkey": "0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd",
"created_at": 1727915314,
"kind": 1,
"tags": [
[
"q",
"2c64f1bc132e24eddd2a63df44133f1262e29b84019b7427fa2185566f3ceebc"
],
[
"p",
"0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd"
],
[
"r",
"https://www.wired.com/story/gab-hack-data-breach-ddosecrets/"
]
],
"content": "Btw it's really crazy to me it's not standard practice to hash session tokens. Remember when Gab got hit with a major SQL injection vuln and the attacker dumped thousands of OAuth tokens and used them to control famous people's accounts? This can be be prevented by just treating OAuth tokens the same as passwords in the database, lol. https://www.wired.com/story/gab-hack-data-breach-ddosecrets/\n\nnostr:note193j0r0qn9cjwmhf2v005gyelzf3w9xuyqxdhgfl6yxz4vmeua67qxgfnvc",
"sig": "4a9d9e71896141ae5e7969a172c682635481837987b61ecdba47a0cea3482703331c416376dccdc64db8cea5cd71f1e6eb964c3c68b873aabef04fe87e192c3e"
}
