Notices where this attachment appears
-
Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:12:06 JST 
Kirino Kousaka
@DocScranton To be clear, you don’t have to worry about it as a single-user instance but still update!
I discovered the exploit while thinking of how to make my insult bot send out insults faster, I had the idea of reusing previous Media Attachment IDs so that it didn’t have to repeatedly upload files.
I tested this and it worked so on a whim I said “Huh, I wonder if I could POST someone else’s Media Attachment ID in my API call” and that worked. It was then I thought “Huh… these IDs look like they’re just a sequential series of numbers… “
I then had a VERY devious idea to see if private chats and DMs used the same list, which I found out they do. I coupled both these pieces of information together and thought “I wonder if I could attach a someone else’s private Media Attachment ID to a public post” and it turns out YES, YOU CAN
In conclusion: On any public instances NO photos were actually private and it would only take a bad actor looping through all IDs in the object table until he found the photos for them to be leaked.
My initial report can be found here: https://docs.google.com/document/d/1akVy15fpksV3QulTz5f37XeaR0Xxw-TnVc9TFSL_Rus/
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.