hmm did the security fix that broke a feature since a few releases actually not fix anything because we weren't vulnerable to that attack, hm

Mastodev, rambling 

i'm pretty sure that's the case
i'm pretty sure doing a CSRF on auth with Mastodon and OmniAuth doesn't give an attacker anything

that was considered a vulnerability in flows were logging in using OmniAuth would associate a remote identity to an existing local account (thus giving the remote identity access to the local account, and if an attacker somehow manages to get their victim to log in as the attacker on the remote identity provider… they'd have access to that local account)

except in our case, logging in through OmniAuth just logs into an account 100% determined by the remote identity and does not bind an existing local account to a remote identity, i think? i'd have to check but yeah i don't think an attacker can do much

then we can drop the CSRF protections on that endpoint and restore the redirect flow


Mastodev, rambling 

i have now checked, and we were, in fact, vulnerable to this, as we do bind remote identities to local accounts when already logged-in
oh well

Sign in to participate in the conversation
Mastodon (instance perso)

This is a small personal instance running on a couple small ARM servers at home.