this post was submitted on 26 Jan 2024
44 points (100.0% liked)

sh.itjust.works Main Community

7725 readers
2 users here now

Home of the sh.itjust.works instance.

Matrix

founded 1 year ago
MODERATORS
 

For those using Private message on Lemmy, there is a major vulnerability. It seems that this instance still runs 18.5

I know that our beloved admins are volunteers and busy, so I don't blame them for not updating, but while waiting for the update be aware that your PM are as public as your comments

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 9 months ago (1 children)

Lemmy has pretty lousy security in general, so really nobody should be storing any data on their Lemmy account that is important. Password, username, and any personally identifying information should never be shared across multiple sites or with other users, but this is just cybersecurity 100.

[–] sugar_in_your_tea 1 points 9 months ago

Exactly. I don't even have my email connected because I'd rather not get a ton of spam when Lemmy gets hacked.

I did the same for Reddit, and I avoid any SM that requires me to associate my identity with it in any way.

[–] can 8 points 9 months ago* (last edited 9 months ago) (1 children)

On the matrix chat TheDude mentioned he was made aware of the vulnerability a while ago and has already patched it.

And in case you're not aware, the direct messages here were never that private to begin with. Any admin of a federated instance has access so a bad actor could accomplish this with some dedication anyway.

[–] Ziggurat 3 points 9 months ago (2 children)

Good to know thas it was patched. Indeed, an issue with federated app is that, instance admin could be dishonest and spy us (while proprietary app will do it). But to my understanding the bug was fully public so a message like call me , on 0123 456 789 could reveal your phone number

[–] can 4 points 9 months ago* (last edited 9 months ago)

Even with this patched I would not advise stating your phone number expecting full security.

[–] InEnduringGrowStrong 1 points 9 months ago

I can confirm that DMs are not encrypted and are stored in clear text and therefore could technically be read by admins with database access.
While we are not actively looking or browsing through DMs, I'd still recommend not sharing anything sensitive through lemmy DMs and instead use something like Matrix or Signal.