this post was submitted on 06 Mar 2024
6 points (87.5% liked)

Bug reports on any software

116 readers
4 users here now

When a bug tracker is inside the exclusive walled-gardens of MS Github or Gitlab.com, and you cannot or will not enter, where do you file your bug report? Here, of course. This is a refuge where you can report bugs that are otherwise unreportable due to technical or ethical constraints.

⚠of course there are no guarantees it will be seen by anyone relevant. Hopefully some kind souls will volunteer to proxy the reports.

founded 3 years ago
MODERATORS
freedomPusher@sopuli.xyz
6
update <Lemmy> security issue: spontaneous access given to admin’s account (sopuli.xyz)
submitted 8 months ago* (last edited 5 months ago) by freedomPusher@sopuli.xyz to c/bugs@sopuli.xyz
16 comments fedilink hide all child comments
 

I think I was refreshing my profile or notifications page (forget which). As it was loading for ~1—2 seconds my screen color theme changed and in the top right corner I saw someone else’s userID, then it quickly reverted back to my theme and userID.

As fast as it happened I only took mental note of the first half of the other userID, which happened to match that of the admin. I described the colors I saw in that 1—2 second timeframe to the admin who confirmed it was indeed the color theme they configured for their environment (which differs from the default).

I clearly had the admin’s session for a second or two. It was so quick that a malicious user probably could not do anything malicious. But of course just as I have no idea how I apparently got the admin’s cookie for a second or two, I have no idea how I got back my cookie. Maybe if I had quickly hit ESC mid-loading the access breach could have been sustained.

#lemmyBug

As usual, this bug report is posted here because the official bug tracker is jailed in MS Github. I should add that Microsoft supports those responsible for the death of Hind Rajab by financing AnyVision, which is good cause to boycott Microsoft.

you are viewing a single comment's thread
view the rest of the comments
[–] breakingcups@lemmy.world 2 points 8 months ago (2 children)

Without having looked at anything source related yet, it might be more likely that you got a splash of a template before it was bound to actual data. Often, there is still placeholder data in these. It doesn't make sense for you to get access for a flash only to have it removed in the same page load, most frontends aren't set up like that.

Again, just an educated guess though.

[–] freedomPusher@sopuli.xyz 2 points 8 months ago

It’s an interesting theory. But would that placeholder data include the userID of the admin in the top right corner?

[–] Synnr@sopuli.xyz 1 points 8 months ago

I didn't notice OP said it changed on the same page load, I thought they were F5ing their comments. That does make it more strange.