The full description of the bug is in the linked issue above, but the short
version is: Our CreatePrivateMessageReport endpoint had a bug that would allow
anyone, not just the recipient, to create a report, and then receive the details
about private messages. This allowed anyone to iterate over ids, creating
thousands of reports in order to receive details about private messages. Since
those reports are visible to admins, it would be easy to discover if someone was
abusing this, and luckily we haven’t heard of anyone doing so on production
instances (so far). If you haven’t, please be sure to upgrade to at least 0.19.1
for the fix. Many thanks to @Nothing4You for finding this one.
For those using Private message on Lemmy, there is a major vulnerability. It seems that this instance still runs 18.5
I know that our beloved admins are volunteers and busy, so I don’t blame them for not updating, but while waiting for the update be aware that your PM are as public as your comments
Exactly. I don’t even have my email connected because I’d rather not get a ton of spam when Lemmy gets hacked.
I did the same for Reddit, and I avoid any SM that requires me to associate my identity with it in any way.