this post was submitted on 04 Aug 2023
103 points (96.4% liked)

Lemmy

12572 readers
3 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

Found this when logging into the Lemmy.world Place canvas

https://canvas.toast.ooo/

top 22 comments
sorted by: hot top controversial new old
[โ€“] Saik0Shinigami@lemmy.saik0.com 29 points 1 year ago (1 children)

While the login system works...

It's ripe for abuse though. DMs are federated traffic and are not cryptographically secured in any form. So in theory a bad actor instance admin could spawn unlimited accounts and login... Or just sniff incoming requests from whatever instance this traffic is spawned from and obtain the login code.

For something like this, probably fine... But I wouldn't use it for anything else, nor would I trust any app that does use this system.

[โ€“] Shadow@lemmy.ca 8 points 1 year ago* (last edited 1 year ago) (1 children)

Their original system required you to enter your creds + OTP, so this is a huge improvement ๐Ÿคฃ

[โ€“] Saik0Shinigami@lemmy.saik0.com 1 points 1 year ago (1 children)

That's how I just logged in.

Gave instance, username on instance, and received inbox message on my lemmy instance. (also sniffed the message cause I was curious since I'm my instance admin)

[โ€“] lemann@lemmy.one 1 points 1 year ago (1 children)

I think the original commenter meant "username+password+your Lemmy 2FA OTPโ€ by creds

I think they meant that too... But that's not what was provided to login.

I would not give up my instance password to another person. The list I provided was what I specifically provided.

[โ€“] mvirts@lemmy.world 15 points 1 year ago

Quick! Everyone log in as osrsneedsf2p@lemmy.ml before the code expires :P

[โ€“] shootwhatsmyname@lemm.ee 11 points 1 year ago

This is just a OTP, not technically OAuth, right?

[โ€“] mojo@lemm.ee 8 points 1 year ago (2 children)

I've seen you on the reddit alternatives sub, voat, ruqqus, and now here lmao. One day you'll get a non member osrs account.

[โ€“] OsrsNeedsF2P@lemmy.ml 6 points 1 year ago (1 children)

What was your name on Ruqqus? That place was great, minus the rampant racism.

The Ruqqus shutdown last year is what made me come to Lemmy full-time, taught me a good lesson on why you need federation

[โ€“] mojo@lemm.ee 6 points 1 year ago (1 children)

My username was randomly generated and was 47RX6h. I mostly went on there to argue with right wingers but really I was just wasting my time lol. I got banned from most of the communities on there.

[โ€“] OsrsNeedsF2P@lemmy.ml 3 points 1 year ago (1 children)

Oh wait, were you the one who started +OpenLeft?? I took over that community when you quit

[โ€“] mojo@lemm.ee 3 points 1 year ago

Nah starting communities is way too much effort, but I was arguing left wing talking points on the site

[โ€“] AnarchoYeasty@beehaw.org -2 points 1 year ago (1 children)

Voat is Nazi trash. Why were you and OP on there enough for you to recognize him?

[โ€“] mojo@lemm.ee 4 points 1 year ago (2 children)

This was like within the first few months of Voat during one of the Reddit exoduses. I was on it for like a week in some meditation communities. Then yeah it pretty quickly turned into Nazi shit. Ruqqus was also Nazi shit.

[โ€“] jerome@kbin.social 4 points 1 year ago* (last edited 1 year ago)

I did that too. It took me 5 mins.

[โ€“] AnarchoYeasty@beehaw.org 2 points 1 year ago

Ruqqus? Is that named after Uncle Ruckus? Or just similar names.

[โ€“] Psythik@lemm.ee 4 points 1 year ago (1 children)
[โ€“] OneRedFox@beehaw.org 1 points 1 year ago

It's an open standard for granting clients access to APIs without needing to hand over things like your password each time.

[โ€“] bappity@lemmy.world 3 points 1 year ago (1 children)

do I understand this correctly, it requires you to login to check your PMs for the code you need to login?

[โ€“] Shadow@lemmy.ca 14 points 1 year ago (1 children)

No you don't understand correctly. You login to your lemmy account to get a code so you can login to canvas.

[โ€“] bappity@lemmy.world 2 points 1 year ago
[โ€“] A10@kerala.party 1 points 1 year ago

So far no bot infestations, was able to place some tiles and not run over by country flags ....yet