Hey everyone! I just had something rather weird and concerning happen. While browsing Lemmy through the default web interface, I clicked on a post link and got the usual server error. I refreshed the page and got the same thing. Then, I refreshed a second time and while the post loaded, I was a bit perplexed as my Lemmy theme was completely different. I thought that was weird, so I decided to go Settings. That’s when I realized that the username in the top right corner was not my own. Instead of “Shrinra”, it showed “aeharding”! I clicked the link for Settings just to see what would happen, and thankfully, it threw me out of the session entirely. In fact, my actual session was gone and I had to log back in.

A part of me thinks I am crazy. Has anyone else experienced this? If so, it is a known security issue? It is more than a bit concerning to think that someone else may be able to access someone else’s session just by navigating to a certain page.

Thanks!

  • TauZero@mander.xyz
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    The random user switching had been happening occasionally until some update a month ago, something to do with stale websockets. Never heard of anyone successfully exploiting it, like making posts or seeing PMs. All you get is to see someone else’s username. OP, if it happens to you again, try to make a post quickly before the session throws you out to prove whether it is a security risk!