I hope this is obvious, but I wanted to get it out there because of how important it is.

If your client allows user-entered Lemmy instances, ALWAYS verify that the instance is a valid Lemmy instance before sending credentials over. Otherwise, the user may have entered a url to an unknown server or site, and you will be sending their login credentials to a server that may be logging and storing the request or even intentionally trying to capture these credentials.

Instead, call getSite at the very least, or use a public list of verified servers before making the login request.

I would not be surprised if down the road malicious sites with similar domains to popular instances will be created to get login details of users who mis-typed their instance domain. It’s partially our responsibility to make sure our users are safe, so let’s keep this discussion going as we learn new ways to handle security concerns!

  • CMahaff@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Good tip. Wrote this up as a bug against my project. It’s not a full-proof solution (malicious attacker could have setup a lemmy instance modified to save off credentials) but it’s probably a good idea.