Was curious about whether someone could extract my password from Jerboa on my phone but didn’t get any response there. Maybe you guys have some idea? Does Lemmy even offer an auth mechanism that could prevent this, is one in the works?

cross-posted from: https://lemmy.ca/post/652328

I noticed that Jeroba didn’t seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I’m entrusting it with the cleartext password for my lemmy account which it’s storing on my phone?

I’m sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that’s what’s happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it’s dubious if you were really trusting the app all that much less in that case.

However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?

  • OsrsNeedsF2P
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    The session cookie is stored in your app’s data, which is sandboxed by default

    • BuoyantCitrus@lemmy.caOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Oh nice, it’s not storing the pw then? The session is just perpetual and doesn’t expire or has my app been refreshing it along the way? How do I invalidate the session if eg. I lose my phone?