103

Someone made an OAuth for Lemmy (lemmy.ml)

submitted 1 year ago by OsrsNeedsF2P@lemmy.ml to c/lemmy@lemmy.ml

24 comments fedilink hide all child comments

Found this when logging into the Lemmy.world Place canvas

https://canvas.toast.ooo/

you are viewing a single comment's thread
view the rest of the comments

[-] Saik0Shinigami@lemmy.saik0.com 29 points 1 year ago

While the login system works...

It's ripe for abuse though. DMs are federated traffic and are not cryptographically secured in any form. So in theory a bad actor instance admin could spawn unlimited accounts and login... Or just sniff incoming requests from whatever instance this traffic is spawned from and obtain the login code.

For something like this, probably fine... But I wouldn't use it for anything else, nor would I trust any app that does use this system.

[-] Shadow@lemmy.ca 8 points 1 year ago* (last edited 1 year ago)

Their original system required you to enter your creds + OTP, so this is a huge improvement 🤣

[-] Saik0Shinigami@lemmy.saik0.com 1 points 1 year ago

That's how I just logged in.

Gave instance, username on instance, and received inbox message on my lemmy instance. (also sniffed the message cause I was curious since I'm my instance admin)

[-] lemann@lemmy.one 1 points 1 year ago

I think the original commenter meant "username+password+your Lemmy 2FA OTP” by creds

[-] Saik0Shinigami@lemmy.saik0.com 2 points 1 year ago

I think they meant that too... But that's not what was provided to login.

I would not give up my instance password to another person. The list I provided was what I specifically provided.

this post was submitted on 04 Aug 2023

103 points (96.4% liked)

Lemmy

11948 readers

112 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago

MODERATORS

nutomic@lemmy.ml