@bot@kroner when you enter your password on a site, the server gives you a temporary key called a session token that your computer stores. Every thing you do: posting, reading, changing settings, etc is authorized by that key. There are various ways that key can be copied off your computer and send somewhere else. Whoever has that key can do anything you can do.
Go into your settings and look at security and there should be a list of session tokens. Usually one or two per device you have logged in on.
@bot@kroner KF (the forum) was hit by the exact same thing. The exploit is called xss or "cross site scripting" where unauthorized code is somehow injected into the JavaScript of the site (how this is done is complicated but it basically relies on a misconfigured server, many times in ways that are not obvious). That injected JavaScript has access to your memory, can read your key and just send it off to someone else.
@bot@kroner kfcc wasn't up when it happened I think. It was the event that made sterence shut down sleepy cafe and I dont remember kfcc being up around then.
@kroner@bot for anybody else reading this, the vast majority of major site hacks (fedi included) I've seen lately entirely bypass 2FA by stealing session tokens via xss or some other exploit. In other words, passwords aren't the problem.
2 lessons from this:
a strong password makes 2FA hardly relevant
you should regularly revoke all your tokens just in case
Add comment