1
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 Mar 2025
1 points (66.7% liked)
Voyager
6290 readers
4 users here now
The official lemmy community for Voyager, an open source, mobile-first client for lemmy.
Rules
- Be nice.
- lemmy.world instance policy
Sponsor development! 👇
💙
founded 2 years ago
MODERATORS
You would only be able to login this way with your username. If you by mistake use your email, then it simply doesn’t resolve to a Lemmy server and the login fails.
Meldrik@notlemmyserver.com would simply fail, because that Lemmy instance does not exist.
But what if it does exist? But your have an email server on the same domain? Or what if that domain is being malicious and masquerading as a Lemmy instance to steal your credentials?
It doesn’t matter if there’s an email server or not.
I am not logging in with the credentials “meldrik@lemmy.wtf”. I am telling Voyager that I want to log into “Lemmy.wtf” with my user “Meldrik”. Before I type a password, the app will check if “Lemmy.wtf” exists and maybe even check if there is in fact a user named “Meldrik”. If all are true, then it will ask for password.
Something like that. I don’t know how Voyager works 😁
that’s still making assumptions about where you want to login to. The fact is that you can login, today, to Lemmy.world with “username” of “me@lemmy.wtf” assuming Lemmy.wtf has an email server setup. And it’s not a safe assumption because users DO have email addresses saved in their passwords manager as a username for whatever random instance, and there should be a 0% chance of sending user credentials to the wrong domain.
I can’t just trust that domain to say they’re a Lemmy instance, and there is a user with that username on the domain. That’s trivial to exploit.