If those kids could read they'd be very upset
Careful, you might get banned from PieFed.
I'm amazed I'm not already 🤣
Really? I thought that you might be among the first.
haha same
I’m not sure what I’d have done if I’d found these. First I’d have considered how it’s poor form to broadcast zero-day vulnerabilities in public fora. I doubt PieFed is plugged in to the formal CVE process, but we do know how to communicate with the lead developer informally.
The lead developer may not be everyone’s favorite little guy lately, but he’s not the only one affected. Consider the admins of the Fediverse Anarchist Flotilla, for instance, who are running PieFed (and forks of PieFed).
I would CC the lead developer here, but he’s put me on his official shit list, so he wouldn’t have received it. Someone else will have to tell him.
cc Mia/@Quokka@quokk.au @db0@anarchist.nexus @unruffled@anarchist.nexus
If the lead developer was a decent human being, I probably would've handled this differently. I have little interest of interacting with them, but it is worth at least making people aware of these serious issues in the software.
Yeah not a fan either, this affects so many people and will cause a big headache. My biggest worry honestly is that malicious actors will pour over all the rest with a finer toothed comb and there is a data leak exposing people who are being harassed on the regular. Or vulnerable groups such as trans folks.
So your response to Rimus actions is to fuck over hundreds of people, whilst judging his behaviour and seeing your own as righteous?
This was a dick move.
@ada@lemmy.blahaj.zone because there is a blahaj piefed
PieFed is really testing that old adage never to assume malice when incompetence suffices.
So pf is literally bad for the threadiverse at a technical level. It doesn't really matter if this came from malicious intent or just rushed vibe coding or anything else because the result is a threat to the entire activity pub federation model regardless.
Definitely seems like defederation is warranted until there's a competent code audit and fixes.
Yeah, it should literally be treated as malware as long as these kinds of security issues persist.
😬
I find it amusing this is posted here
care to share why?
The developer who made these mistakes probably has ml blocked
normally, their echo chamber would guarantee that they'll make more mistakes like this; but given it's sudden meteoric rise, it's clear that they're getting outside help from somewhere that guarantees that they'll step up their game.
I see you really want to enter in the cool kids list
I'm deeply insulted I'm not on it already.
Reporter: [REDACTED]
Reason: irresponsible disclosure of zero day vulnerability
Are these confirmed to work?
I haven't tried maliciously attacking piefed instances if that's what you're asking, but these bugs are absolutely real. I did poke around to confirm the bits LLM found.
No but like spun up a local testing instance to confirm them? Or are you confident enough that they are real just by reading the code?
I'm quite confident just from reading the code, cause you can see exactly where the security breaks. Honestly, this is really basic stuff, and it's kind of shocking. Like in the case of the signature, there's no logical reason not to reject the activity as soon as auth fails, but instead it just happily marches on. Incidentally, another thing that's worth noting is just how threadbare the test harness for the project is. Some of the issues would've been caught if there was better testing for authentication flows.
Move fast and silence tankies.
🤣
Edit: removed my comment, I was being unnecessarily snarky.