Conversation

Notices

1. LS (lain@lain.com)'s status on Sunday, 03-Sep-2023 21:49:01 JST LS

   • Haelwenn /элвэн/ :triskell:
   big thanks to @lanodan for getting this out today
   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 21:59:21 JST 

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • Kirino Kousaka
     @lain @lanodan Also credits to @Kirino for first reporting this and to yours truly for submitting the patch.
   • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:06:46 JST Kirino Kousaka

     in reply to

     • 
     • Haelwenn /элвэн/ :triskell:

     Yeah!! >:O I saved the world!! :D

      likes this.
   • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:14:59 JST Kirino Kousaka

     in reply to

     • pomstan
     • 

     Mint and Kirino are bad boys who say the no no words :blobcatcomfcool:

      likes this.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Sunday, 03-Sep-2023 22:15:00 JST pomstan

     in reply to

     • 
     • Kirino Kousaka

     @mint @Kirino i really wonder why there’s no credit given anywhere in the announcement

   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:18:08 JST 

     in reply to

     • pomstan
     • Kirino Kousaka
     @pomstan @Kirino The 2.5.4 changelog had a proper credit to third-party contributor. Guess I'm too spicy for them, but whatever, at least it's still in commit history.
   • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:21:30 JST Kirino Kousaka

     in reply to

     • pomstan
     • 

     I’m just happy I can publiclly talk about it now and not have the anxiety of “Oh fuck what if someone else figures it out” while waiting for the update.

     It wasn’t even that big of a leap for me to make, a lot of bot makers and contributors already knew about reusing IDs, I was just the first to actually test using other IDs.

     I think Cassidyclown had a good theory about why this exploit exists which is “It was probably written before scope and gleasonchats, so it didn’t need that check”.

      likes this.
   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:25:12 JST 

     in reply to

     • pomstan
     • Kirino Kousaka
     @pomstan @Kirino Reusing attachment IDs when submitting a post or chat message without checking for attachment attibution. Since you can attach thousands of them to a post, and invalid ones are silently discarded, you can iterate fairly quickly through object IDs and expose other users dick pics from DMs. The patch simply adds the missing attribution check.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Sunday, 03-Sep-2023 22:25:13 JST pomstan

     in reply to

     • 
     • Kirino Kousaka

     @Kirino @mint what’s the actual exploit? do i need to care on a single-user instance?

   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:26:22 JST 

     in reply to

     • pomstan
     • 
     • Kirino Kousaka
     @pomstan @Kirino So yes, singleusers are safu.
   • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:26:42 JST Kirino Kousaka

     in reply to

     • pomstan
     • 
     • cassidyclown

     Essentially there was no checks when attaching media attachment IDs to a post to see if you should be able to access that particular media.

     What that means is, (on a multi-user instance) if Person A sends a private photo to Person B with an ID of 1234 then Person C can just make an API request to attach 1234 to their post and the image will be published.

     Through testing @cassidyclown figured you couldn’t tell WHO uploaded the photo but it would still be leaked regardless.

     Machismo and  repeated this.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Sunday, 03-Sep-2023 22:26:42 JST pomstan

     in reply to

     • 
     • cassidyclown
     • Kirino Kousaka

     @Kirino @cassidyclown @mint the actual mitigation for this class of attacks is the usual “don’t upload your private stuff to the internet”

      likes this.
   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:27:21 JST 

     in reply to

     • pomstan
     • cassidyclown
     • Kirino Kousaka
     @pomstan @cassidyclown @Kirino Indeed. Scopes are still just a suggestion.
   • cassidyclown (cassidyclown@clubcyberia.co)'s status on Sunday, 03-Sep-2023 22:28:48 JST cassidyclown

     in reply to

     • pomstan
     • 
     • Kirino Kousaka
     @pomstan @mint @Kirino I made a "don't upload dick pics to dms" psa and everyone told me it was a "bad post" and it's "literally 1984"
      likes this.
   • Rusty Crab (rustycrab@clubcyberia.co)'s status on Sunday, 03-Sep-2023 22:29:27 JST Rusty Crab

     in reply to

     • pomstan
     • 
     • cassidyclown
     • Kirino Kousaka
     @pomstan @cassidyclown @mint @Kirino well you see pleroma started as a porn site so having your dick pics leaked was a feature
      likes this.
   •  (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:30:01 JST 

     in reply to

     • pomstan
     • cassidyclown
     • Kirino Kousaka
     • Rusty Crab
     @RustyCrab @cassidyclown @Kirino @pomstan Unit tests prove this theory.
     Screenshot_20230902_002031.png
   • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:34:55 JST Kirino Kousaka

     in reply to

     • pomstan
     • 
     • cassidyclown
     • Rusty Crab

     I found a really funny one too, lemme dig through the code for it

     FOUND IT

      likes this.