Hey everyone! I just had something rather weird and concerning happen. While browsing Lemmy through the default web interface, I clicked on a post link and got the usual server error. I refreshed the page and got the same thing. Then, I refreshed a second time and while the post loaded, I was a bit perplexed as my Lemmy theme was completely different. I thought that was weird, so I decided to go Settings. That’s when I realized that the username in the top right corner was not my own. Instead of “Shrinra”, it showed “aeharding”! I clicked the link for Settings just to see what would happen, and thankfully, it threw me out of the session entirely. In fact, my actual session was gone and I had to log back in.

A part of me thinks I am crazy. Has anyone else experienced this? If so, it is a known security issue? It is more than a bit concerning to think that someone else may be able to access someone else’s session just by navigating to a certain page.

Thanks!

    • @ShrinraOP
      link
      71 year ago

      Yep, I am familiar. :) It’s hard to not be with how popular wefwef/Voyager is.

    • @Blamemeta
      link
      English
      51 year ago

      Probably has some hard coded creds for dev work, and forgot to remove them.

      • @aeharding
        link
        English
        81 year ago

        This is an issue with Lemmy-ui which I have nothing to do with. I probably just won the lottery of being displayed as logged in. 😛

      • @kuneho
        link
        11 year ago

        or just a placeholder