User avatar
luna sugar🍬🍭🏳️‍⚧️🏳️‍🌈 [migrated to @sugar@snug.moe] @sugar@i.use.akkoma.btw.sylveon.social
3mo
looked at the misskey vulnerabilities in question

,,, oh wow, they're bad sylveon_shocked

essentially vulnerabilities allow spoofing posts (with a really simple exploit) and reading contents of any arbitrary post that the instance knows about (even external ones)

(there are also some other vulnerabilities, like imports working with files belonging to other people, as long you know the id of the file, but fae sees those as pretty minor unless fae is missing something)
3
2
4
0
User avatar
luna sugar🍬🍭🏳️‍⚧️🏳️‍🌈 [migrated to @sugar@snug.moe] @sugar@i.use.akkoma.btw.sylveon.social
3mo
the vulnerability that allows spoofing posts is as simple as not providing cryptographic proof that the post came from the user who wrote it sylveon_shocked

yeah,,,

please update your instances asap, fae is very much serious
:heart_trans@possum.city:1
2
2
3
1
User avatar
illy [Shrimple-mode] protomoji_orange_flag_lesbian @illyBytes@shrimp.imsofucking.gay
3mo
@sugar what the fuck 0_0
did they forget a Null check?
:sylveon_heart@i.use.akkoma.btw.sylveon.social:1
1
0
2
1
User avatar
luna sugar🍬🍭🏳️‍⚧️🏳️‍🌈 [migrated to @sugar@snug.moe] @sugar@i.use.akkoma.btw.sylveon.social
3mo
@illyBytes they forgot a return sylveon_uwu

github.com/misskey-dev/misskey/commit/b5d399674a89a3a8471444c4984b0d46068042e1
1
1
1
0
User avatar
illy [Shrimple-mode] protomoji_orange_flag_lesbian @illyBytes@shrimp.imsofucking.gay
3mo
@sugar oop x33
:sylveon_heart@i.use.akkoma.btw.sylveon.social:1
1
0
0
1
User avatar
illy [Shrimple-mode] protomoji_orange_flag_lesbian @illyBytes@shrimp.imsofucking.gay
3mo
@sugar so it errors but doesnt stop the execution x3 x.x
:sylveon_heart@i.use.akkoma.btw.sylveon.social:1
0
0
0
1