Hey everyone! I just had something rather weird and concerning happen. While browsing Lemmy through the default web interface, I clicked on a post link and got the usual server error. I refreshed the page and got the same thing. Then, I refreshed a second time and while the post loaded, I was a bit perplexed as my Lemmy theme was completely different. I thought that was weird, so I decided to go Settings. That’s when I realized that the username in the top right corner was not my own. Instead of “Shrinra”, it showed “aeharding”! I clicked the link for Settings just to see what would happen, and thankfully, it threw me out of the session entirely. In fact, my actual session was gone and I had to log back in.

A part of me thinks I am crazy. Has anyone else experienced this? If so, it is a known security issue? It is more than a bit concerning to think that someone else may be able to access someone else’s session just by navigating to a certain page.

Thanks!

    • @ShrinraOP
      link
      71 year ago

      Yep, I am familiar. :) It’s hard to not be with how popular wefwef/Voyager is.

    • @Blamemeta
      link
      English
      51 year ago

      Probably has some hard coded creds for dev work, and forgot to remove them.

      • @aeharding
        link
        English
        81 year ago

        This is an issue with Lemmy-ui which I have nothing to do with. I probably just won the lottery of being displayed as logged in. 😛

      • @kuneho
        link
        11 year ago

        or just a placeholder

  • AlmightySnoo 🐢🇮🇱🇺🇦
    link
    61 year ago

    Happened to me too once, I saw a completely different username in the top bar, then it quickly reverted to my username once I clicked somewhere else. I thought it was just a glitch at the time as the instance was very buggy, that was before this instance updated to a 0.18.1 rc I think. Never happened again since then and I don’t know how to reproduce it.

    • @[email protected]
      link
      fedilink
      31 year ago

      The random user switching had been happening occasionally until some update a month ago, something to do with stale websockets. Never heard of anyone successfully exploiting it, like making posts or seeing PMs. All you get is to see someone else’s username. OP, if it happens to you again, try to make a post quickly before the session throws you out to prove whether it is a security risk!

  • @CapeData
    link
    English
    31 year ago

    This also happened to me. I believe it was after a system update. Hasn’t occurred again.

  • Quinten
    link
    English
    11 year ago

    Hi!

    When exactly did it occur? Was it during the system update? Did you have the time to click on your profile to see where it redirects to?

    It also seems like a Lemmy issue rather than a lemmy.world issue, since I have read also some things about it on another instance.

    Would love to hear if you have the answers to the questions above. You can also submit a issue on Lemmy’s GitHub to notify the developers.