1
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 Mar 2025
1 points (66.7% liked)
Voyager
6290 readers
4 users here now
The official lemmy community for Voyager, an open source, mobile-first client for lemmy.
Rules
- Be nice.
- lemmy.world instance policy
Sponsor development! 👇
💙
founded 2 years ago
MODERATORS
It doesn’t matter if there’s an email server or not.
I am not logging in with the credentials “meldrik@lemmy.wtf”. I am telling Voyager that I want to log into “Lemmy.wtf” with my user “Meldrik”. Before I type a password, the app will check if “Lemmy.wtf” exists and maybe even check if there is in fact a user named “Meldrik”. If all are true, then it will ask for password.
Something like that. I don’t know how Voyager works 😁
that’s still making assumptions about where you want to login to. The fact is that you can login, today, to Lemmy.world with “username” of “me@lemmy.wtf” assuming Lemmy.wtf has an email server setup. And it’s not a safe assumption because users DO have email addresses saved in their passwords manager as a username for whatever random instance, and there should be a 0% chance of sending user credentials to the wrong domain.
I can’t just trust that domain to say they’re a Lemmy instance, and there is a user with that username on the domain. That’s trivial to exploit.