Notices by Kirino Kousaka (kirino@seal.cafe), page 15

Am I wrong in thinking the whole issue is the DB is trying to insert over your primary key and raising an error?

If so, am I missing why you couldn’t just set the next primary key to be greater than the maximum object on the table? :\

I’ve been thinking of setting up a bot which just follows everyone and then when it gets to 1,000 followers it will unfollow everyone.

AND!!!!

HE DID THO!!!

Let me demonstrate comfo speak using a translator I built a while back (Funnily enough, this is one of the things I demanded he add in but only for my account. You figure it out.)

Input text:

Category 2 cable, also known as Cat 2, is a grade of unshielded twisted pair cabling designed for telephone and data communications. The maximum frequency suitable for transmission over Cat 2 cable is 4 MHz, and the maximum bandwidth is 4 Mbit/s. Cat 2 cable contains 4 pairs of wires, or 8 wires total.

Output text:

Categori 2 cable, alsho known ash Cat 2, ish a grade of unshielded twishted pair cabling deshigned for telephone and data communicationsh. de maximum frequenci shuitable for transhmishion ober Cat 2 cable ish 4 MHz, and de maximum bandwidth ish 4 Mbit/sh. Cat 2 cable containsh 4 pairsh of wiresh, or 8 wiresh total.

For around a month or so, every post I made was in that style.

5 reasons off the top of my head:

1. The comfo speak a while back
2. The excessive bigotry on my timeline
3. Demanding he add ridiculous features while also not explaining them
4. I think I said for every cow he didn’t eat I would eat one, just to show him who is boss
5. I threatened to replace his Ethernet cables with Cat2s so his network would be slow and he wouldn’t be able to figure out why.

I think Alex may have me muted/blocked (which is completely fair lmao) so maybe re-post the PDF at him and tell him about v2.5.5 of Pleroma :P

I found a really funny one too, lemme dig through the code for it

FOUND IT

@p HAHA DOES YOUR INSTANCE NO LONGER ALLOW TEXT POSTS BECAUSE OF THE UPDATE? LMAO

nospeechextremist.com

Essentially there was no checks when attaching media attachment IDs to a post to see if you should be able to access that particular media.

What that means is, (on a multi-user instance) if Person A sends a private photo to Person B with an ID of 1234 then Person C can just make an API request to attach 1234 to their post and the image will be published.

Through testing @cassidyclown figured you couldn’t tell WHO uploaded the photo but it would still be leaked regardless.

Good point, will remove the link just in case for other people.

I warned all of you >:D I’ll break out my 1337 speak translator!

I’m just happy I can publiclly talk about it now and not have the anxiety of “Oh fuck what if someone else figures it out” while waiting for the update.

It wasn’t even that big of a leap for me to make, a lot of bot makers and contributors already knew about reusing IDs, I was just the first to actually test using other IDs.

I think Cassidyclown had a good theory about why this exploit exists which is “It was probably written before scope and gleasonchats, so it didn’t need that check”.

Mint and Kirino are bad boys who say the no no words :blobcatcomfcool:

@DocScranton To be clear, you don’t have to worry about it as a single-user instance but still update!

I discovered the exploit while thinking of how to make my insult bot send out insults faster, I had the idea of reusing previous Media Attachment IDs so that it didn’t have to repeatedly upload files.

I tested this and it worked so on a whim I said “Huh, I wonder if I could POST someone else’s Media Attachment ID in my API call” and that worked. It was then I thought “Huh… these IDs look like they’re just a sequential series of numbers… “

I then had a VERY devious idea to see if private chats and DMs used the same list, which I found out they do. I coupled both these pieces of information together and thought “I wonder if I could attach a someone else’s private Media Attachment ID to a public post” and it turns out YES, YOU CAN

In conclusion: On any public instances NO photos were actually private and it would only take a bad actor looping through all IDs in the object table until he found the photos for them to be leaked.

My initial report can be found here: https://docs.google.com/document/d/1akVy15fpksV3QulTz5f37XeaR0Xxw-TnVc9TFSL_Rus/

Be sure to update Pleroma, it fixes a pretty major potential exploit.

To give context:

I found a huuuuuge exploit in Pleroma which (in my opinion) had the capacity to surpass the recent one in terms of damage to the userbase.

The reason for this simply being it did not require token hijacking and was able to be exploited by any user on any instance with around 30-40 lines of code.

It would have been super scary (scarier than spooky Kirino!!) But I sent it to the right people and an update has gone through that fixes it

You can all thank and give me praise later ^^

Also big ups to @cassidyclown for helping me run some tests when I first discovered the exploit and @mint for actually digging through the dumpster fire of a backend and submitting a merge request.

Yeah!! >:O I saved the world!! :D

yes

yes :D