this post was submitted on 20 Jun 2023
21 points (88.9% liked)

privacy

3375 readers
78 users here now

Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.

Partners:

founded 2 years ago
MODERATORS
Kokomheart
[email protected]
[email protected]
21
Lemmy clients: Credentials, security, and transparency (self.privacy)
submitted 2 years ago by BuoyantCitrus to c/privacy
4 comments fedilink hide all child comments
 

Was curious about whether someone could extract my password from Jerboa on my phone but didn't get any response there. Maybe you guys have some idea? Does Lemmy even offer an auth mechanism that could prevent this, is one in the works?

cross-posted from: https://lemmy.ca/post/652328

I noticed that Jeroba didn't seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I'm entrusting it with the cleartext password for my lemmy account which it's storing on my phone?

I'm sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that's what's happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it's dubious if you were really trusting the app all that much less in that case.

However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 2 years ago (1 children)

The session cookie is stored in your app's data, which is sandboxed by default

[–] BuoyantCitrus 1 points 2 years ago

Oh nice, it's not storing the pw then? The session is just perpetual and doesn't expire or has my app been refreshing it along the way? How do I invalidate the session if eg. I lose my phone?

[–] adespoton 3 points 2 years ago

That gives me a feature request for mlem and memmy anyway; the option to log in / sign up via passkeys, which should work with iOS but also everything Apple/Microsoft/Google. And it’s the private solution because you can choose to manage the keypair yourself instead of letting the AMG do it, or for those who don’t grok that, they can just let Apple handle it for them.

[–] [email protected] 2 points 2 years ago

Shit, I didn't even considered this...