Comments plugin does not properly validate password hash. When addMessage
endpoint is called, one can change loginData.username
value to any existing username and impersonate any existing person in chat. While no important user data is stolen, this can certainly confuse people in the comment box. It is not reproducible consistently though, I wasn’t able to find out what exactly is causing this behavior. If you can’t reproduce, you can let me know and I will record a video.
@perchance@lemmy.world pinging dev.