I hope this is obvious, but I wanted to get it out there because of how important it is.

If your client allows user-entered Lemmy instances, ALWAYS verify that the instance is a valid Lemmy instance before sending credentials over. Otherwise, the user may have entered a url to an unknown server or site, and you will be sending their login credentials to a server that may be logging and storing the request or even intentionally trying to capture these credentials.

Instead, call getSite at the very least, or use a public list of verified servers before making the login request.

I would not be surprised if down the road malicious sites with similar domains to popular instances will be created to get login details of users who mis-typed their instance domain. It’s partially our responsibility to make sure our users are safe, so let’s keep this discussion going as we learn new ways to handle security concerns!

  • @canpolat
    link
    English
    511 months ago

    I think this may also be a problem with malicious clients. Currently the user enters the username and password via the client’s login dialog. It’s an effective way to collect credentials.

    • silasOP
      link
      English
      511 months ago

      Yes you’re right, implementing OAuth or similar would fix this

      • @[email protected]M
        link
        fedilink
        English
        411 months ago

        I really hope we get OAuth support soon. Other fediverse apps (ie Mastodon) already implement this so that should help roadmap a path forward for Lemmy.

  • @[email protected]
    link
    fedilink
    English
    411 months ago

    Good tip. Wrote this up as a bug against my project. It’s not a full-proof solution (malicious attacker could have setup a lemmy instance modified to save off credentials) but it’s probably a good idea.