Open Szybet opened 1 year ago
I doubt this will ever change. Kobo auth tokens have been infinitely valid for a very long time.
This is quite a nasty problem. Why doesn't Kobo have a setting to revoke existing tokens? It could be as simple as removing entries from a DB table?
This is quite a nasty problem. Why doesn't Kobo have a setting to revoke existing tokens? It could be as simple as removing entries from a DB table?
Good God, let's hope they don't store authentication tokens in a database. That would make them susceptible to timing attacks and a treasure trove for anyone who gets their hands on that database.
Full description available here: https://www.reddit.com/r/kobo/comments/12w6n82/security_bug_i_changed_my_kobo_password_but_my/
That's really bad.