I hope this is obvious, but I wanted to get it out there because of how important it is.

If your client allows user-entered Lemmy instances, ALWAYS verify that the instance is a valid Lemmy instance before sending credentials over. Otherwise, the user may have entered a url to an unknown server or site, and you will be sending their login credentials to a server that may be logging and storing the request or even intentionally trying to capture these credentials.

Instead, call getSite at the very least, or use a public list of verified servers before making the login request.

I would not be surprised if down the road malicious sites with similar domains to popular instances will be created to get login details of users who mis-typed their instance domain. It’s partially our responsibility to make sure our users are safe, so let’s keep this discussion going as we learn new ways to handle security concerns!

  • canpolat
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    I think this may also be a problem with malicious clients. Currently the user enters the username and password via the client’s login dialog. It’s an effective way to collect credentials.

    • silasOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Yes you’re right, implementing OAuth or similar would fix this

      • Prefix@lemm.eeM
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I really hope we get OAuth support soon. Other fediverse apps (ie Mastodon) already implement this so that should help roadmap a path forward for Lemmy.