1

[update](Lemmy) security issue: spontaneous access given to admin’s account

posted
*
by
Avatar
freedomPusher@sopuli.xyzM
in
Avatar
bugs@sopuli.xyz
0 comments
hidereport

I think I was refreshing my profile or notifications page (forget which). As it was loading for ~1—2 seconds my screen color theme changed and in the top right corner I saw someone else’s userID, then it quickly reverted back to my theme and userID.

As fast as it happened I only took mental note of the first half of the other userID, which happened to match that of the admin. I described the colors I saw in that 1—2 second timeframe to the admin who confirmed it was indeed the color theme they configured for their environment (which differs from the default).

I clearly had the admin’s session for a second or two. It was so quick that a malicious user probably could not do anything malicious. But of course just as I have no idea how I apparently got the admin’s cookie for a second or two, I have no idea how I got back my cookie. Maybe if I had quickly hit ESC mid-loading the access breach could have been sustained.

#lemmyBug

As usual, this bug report is posted here because the official bug tracker is jailed in MS Github. I should add that Microsoft supports those responsible for the death of Hind Rajab by financing AnyVision, which is good cause to boycott Microsoft.

Sort:
HotTopControversialNewOld
No comments yet!

Bug reports on any software

!bugs@sopuli.xyz

Create post

When a bug tracker is inside the exclusive walled-gardens of MS Github or Gitlab.com, and you cannot or will not enter, where do you file your bug report? Here, of course. This is a refuge where you can report bugs that are otherwise unreportable due to technical or ethical constraints.

⚠of course there are no guarantees it will be seen by anyone relevant. Hopefully some kind souls will volunteer to proxy the reports.

Community stats

  • 34

    Monthly active users

  • 62

    Posts

  • 18

    Comments

Community moderators