I think I was refreshing my profile or notifications page (forget which). As it was loading for ~1—2 seconds my screen color theme changed and in the top right corner I saw someone else’s userID, then it quickly reverted back to my theme and userID.
As fast as it happened I only took mental note of the first half of the other userID, which happened to match that of the admin. I described the colors I saw in that 1—2 second timeframe to the admin who confirmed it was indeed the color theme they configured for their environment (which differs from the default).
I clearly had the admin’s session for a second or two. It was so quick that a malicious user probably could not do anything malicious. But of course just as I have no idea how I apparently got the admin’s cookie for a second or two, I have no idea how I got back my cookie. Maybe if I had quickly hit ESC mid-loading the access breach could have been sustained.
#lemmyBug
As usual, this bug report is posted here because the official bug tracker is jailed in MS Github. I should add that Microsoft supports those responsible for the death of Hind Rajab by financing AnyVision, which is good cause to boycott Microsoft.
If this is true, it probably shouldn’t be posted publicly… This is giving people who know how to exploit it an idea where to look and how to get in.
Indeed it’s a shame the Lemmy project gives no instructions for privately reporting security bugs. We could call that a bug in itself. And sadly Lemmy is not in the official Debian repos (if it were,
I thinkDebian’s bug tracker has built-in support for reporting security bugs {reportbug …--security-team…}). They mirror to gitea instances but sadly they disabled the bug tracker in those more neutral venues (though it may not matter in this case since gitea seems to have no security bug reporting feature {“reported”, in a sense}).update
I just realized I can DM them at their mastodon acct (which is tricky in Lemmy considering the UI does not support it – yet another bug!), so I did so. So if they request I delete this thread I will.
Normally I’d agree that unauthenticated privilege escalation to administrator account is something that should only ever be reported privately, but this sounds more like a caching bug on the sopuli instance, in which case OP didn’t actually have (theoretical) access to the cookie, although it may be something else. It also brings to attention the lack of published email and optional PGP for reporting. Though, that it was the admin account makes me wonder if the admin wasn’t tinkering with something, causing this to happen for a split second.
@[email protected] I’m curious to hear the response from the admin, will you ping me if they don’t mind you sharing their response?
The only interesting bit from the admin was to concur that the color theme I saw in fact matched their personal color theme. But I just put the admin in the loop here in case there is more to say.
At the time when I got the message, I wasn’t doing any kind of tinkering with the instance.
To add to that, there was probably at most a few minutes gap between what I experienced and sending the message.
I have seen a caching (I believe) issue on an nginx/Express service where the POST payload was valid but much larger than normally expected, and it returned all of the companies customer’s orders in the queue instead of only ours. On refresh, it was fine. It never did get fixed as far as I know as they had trouble reproducing it even though I provided video and steps multiple times. I wasn’t able to produce a PoC script because it was linked to the order/payment process, and wouldn’t go through twice without payment. I don’t know for sure it was a caching issue in the end, but the similarity should be noted.