I hope this is obvious, but I wanted to get it out there because of how important it is.

If your client allows user-entered Lemmy instances, ALWAYS verify that the instance is a valid Lemmy instance before sending credentials over. Otherwise, the user may have entered a url to an unknown server or site, and you will be sending their login credentials to a server that may be logging and storing the request or even intentionally trying to capture these credentials.

Instead, call getSite at the very least, or use a public list of verified servers before making the login request.

I would not be surprised if down the road malicious sites with similar domains to popular instances will be created to get login details of users who mis-typed their instance domain. It’s partially our responsibility to make sure our users are safe, so let’s keep this discussion going as we learn new ways to handle security concerns!

  • canpolat@programming.dev
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    I think this may also be a problem with malicious clients. Currently the user enters the username and password via the client’s login dialog. It’s an effective way to collect credentials.

      • Prefix@lemm.eeM
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I really hope we get OAuth support soon. Other fediverse apps (ie Mastodon) already implement this so that should help roadmap a path forward for Lemmy.

  • CMahaff@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Good tip. Wrote this up as a bug against my project. It’s not a full-proof solution (malicious attacker could have setup a lemmy instance modified to save off credentials) but it’s probably a good idea.