Comments plugin does not properly validate password hash. When addMessage endpoint is called, one can change loginData.username value to any existing username and impersonate any existing person in chat. While no important user data is stolen, this can certainly confuse people in the comment box. It is not reproducible consistently though, I wasn’t able to find out what exactly is causing this behavior. If you can’t reproduce, you can let me know and I will record a video.

    • @perchanceM
      link
      English
      24 months ago

      Oh, wow, thanks!! Some stuff was getting cached in a way that it very obviously shouldn’t have been 😬 Can you please test again just to triple-check it’s fixed? (I’ve already double-checked the code…)

      • @perplexityOP
        link
        English
        1
        edit-2
        4 months ago

        Gave it a quick test just now, seems to be working properly. Thank you!