cross-posted from: https://lemmy.cat/post/6385

It is currently possible, through Lemmy’s API, to create accounts automatically and without limit if verification by email address or captcha is not activated. I’d advise you to activate one or both of them NOW!

After registering x number of accounts (currently I could do thousands), all you have to do is list all the existing communities for each of the account to publishes one new post per community, or more. I’ll leave you to picture the mess.

(I apologise to the administrators of sh.itjust.works, I should have done the test with my own server.)

  • Pekka@feddit.nl
    link
    fedilink
    arrow-up
    6
    ·
    2 years ago

    I was playing a bit with the API today and yea it might even be a bit too easy at the moment. You can easily use that army of Lemmy bots to upvote all your posts.

    We should probably make it very clear in tutorials and setup guides that no email verification and no captcha is very insecure.

    • retiolus@lemmy.catOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Stupid of me, I hadn’t thought about upvotes, but it’s clear that this is perhaps the most “quiet” and dangerous type of abuse.

  • PenguinLover@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    2 years ago

    This is indeed not an ideal situation, but I guess on most instances this isn’t possible. I agree instances should require a captcha of some sort for signing up.

  • pitninja@lemmy.pit.ninja
    link
    fedilink
    arrow-up
    4
    ·
    2 years ago

    I saw some small instance owners saying they were going to enable open registration and I couldn’t help thinking how bad an idea that sounded all around… For exactly a situation such as this inevitably emerging.

  • 𝖒𝖆𝖋@szmer.info
    link
    fedilink
    arrow-up
    2
    ·
    2 years ago

    +1 to that. Also the email domain matters. It’s relatively easy to set up hundreds of disposable emails on random domains vs ones like Gmail.

    Phone number is another solid anti abuse signal. SIM cards are harder to come by in large quantities.

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Not sure how email verification should help. Just add a couple of line to role a email address and then open the verification link.