Mastodon ; sec ? Show more
Thing to know: the *only* thing you need on Mastodon to get timelines etc is having a valid access token.
When you open the web interface, Mastodon puts the access token in the GET parameters.
What it means, is, **ANYONE** having access to the front-end web server logs can connects and see timelines of **ANYONE** on the server. With any pre-authorized application. You don't need it to be authorized for the target account.
I just tested it on both my accounts and with the client_id and client_secret of my main, I could use the access_token of my second account and connect to it, while **never** having to do any auth steps.
If you house a mastodon instance, watch the nginx logs carefully, because there are tons of access tokens *everywhere*.
I made a new emoji that I call "mild panic"
Hacker from Berlin | ɹǝǝnb, NB | er/he/they
social.pbb.lc is one server in the network