sh.itjust.works Main Community

7730 readers

1 users here now

Home of the sh.itjust.works instance.

founded 1 year ago

MODERATORS

Lemmy Security Advisory for Versions < 0.19.1: Private message details leak. [X post from [email protected]] (lemmy.ml)

submitted 10 months ago by Ziggurat to c/main

6 comments fedilink hide all child comments

For those using Private message on Lemmy, there is a major vulnerability. It seems that this instance still runs 18.5

I know that our beloved admins are volunteers and busy, so I don't blame them for not updating, but while waiting for the update be aware that your PM are as public as your comments

you are viewing a single comment's thread
view the rest of the comments

[–] Ziggurat 3 points 10 months ago (2 children)

Good to know thas it was patched. Indeed, an issue with federated app is that, instance admin could be dishonest and spy us (while proprietary app will do it). But to my understanding the bug was fully public so a message like call me , on 0123 456 789 could reveal your phone number

[–] can 4 points 10 months ago* (last edited 10 months ago)

Even with this patched I would not advise stating your phone number expecting full security.

[–] InEnduringGrowStrong 1 points 9 months ago

I can confirm that DMs are not encrypted and are stored in clear text and therefore could technically be read by admins with database access.
While we are not actively looking or browsing through DMs, I'd still recommend not sharing anything sensitive through lemmy DMs and instead use something like Matrix or Signal.