Lemmy Security Advisory for Versions < `0.19.1`: Private message details leak. - Lemmy
lemmy.ml
The full description of the bug is in the linked issue above, but the short version is: Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages. This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages. Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven’t heard of anyone doing so on production instances (so far). If you haven’t, please be sure to upgrade to at least 0.19.1 for the fix. Many thanks to @Nothing4You for finding this one.

For those using Private message on Lemmy, there is a major vulnerability. It seems that this instance still runs 18.5

I know that our beloved admins are volunteers and busy, so I don’t blame them for not updating, but while waiting for the update be aware that your PM are as public as your comments

  • can@sh.itjust.worksEnglish
    0·
    4 months ago

    On the matrix chat TheDude mentioned he was made aware of the vulnerability a while ago and has already patched it.

    And in case you’re not aware, the direct messages here were never that private to begin with. Any admin of a federated instance has access so a bad actor could accomplish this with some dedication anyway.

    • Ziggurat@sh.itjust.worksOPEnglish
      0·
      4 months ago

      Good to know thas it was patched. Indeed, an issue with federated app is that, instance admin could be dishonest and spy us (while proprietary app will do it). But to my understanding the bug was fully public so a message like call me , on 0123 456 789 could reveal your phone number

      • can@sh.itjust.worksEnglish
        0·
        4 months ago

        Even with this patched I would not advise stating your phone number ending redirecting full security.