[update](Lemmy) security issue: spontaneous access given to admin’s account

I think I was refreshing my profile or notifications page (forget which). As it was loading for ~1—2 seconds my screen color theme changed and in the top right corner I saw someone else’s userID, then it quickly reverted back to my theme and userID.

As fast as it happened I only took mental note of the first half of the other userID, which happened to match that of the admin. I described the colors I saw in that 1—2 second timeframe to the admin who confirmed it was indeed the color theme they configured for their environment (which differs from the default).

I clearly had the admin’s session for a second or two. It was so quick that a malicious user probably could not do anything malicious. But of course just as I have no idea how I apparently got the admin’s cookie for a second or two, I have no idea how I got back my cookie. Maybe if I had quickly hit ESC mid-loading the access breach could have been sustained.

As usual, this bug report is posted here because the official bug tracker is jailed in MS Github. I should add that Microsoft supports those responsible for the death of Hind Rajab by financing AnyVision, which is good cause to boycott Microsoft.

freedomPusher OP Mod , (edited )

UPDATE: it just now happened again, but this time not with the admin account (@QuentinCallaghan) but with another user account. I was refreshing my profile and the user @baltakatei appeared in the profile pulldown position on the page with my profile. This time I had time to take a screenshot before it changed:

https://sopuli.xyz/pictrs/image/dce7ed39-3bfa-4350-a6ed-aa7cb054866f.webp

It’s interesting that it shows my profile page but not as I see it. That is, when I visit my own profile page I normally have a “subscribed” sidebar. This shows what someone else would see if they visit my profile while they are logged in, which still differs from what a logged out profile looks like (as send msg options were given). So I wonder if I could have sent myself a msg.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • bugs@sopuli.xyz
  • test
  • worldmews
  • mews
  • All magazines
    •