Comments (1)
ok now that it's fixed i can expand on it
-
on the front page there are buttons for logging on to mastodon instances, five of them. these buttons remember which instances you tend to log into. this is (was) stored in a cookie. unless you are logged in, this is the only part of the page that changes
-
if your browser supports brotli compression, then once the page is generated it will be hashed and checked against a cache of compressed versions of pages. this is because brotli compression can be slow, so if a compressed version is not found in the cache, it will compress in the background and a gzip version will be returned instead
this is relevant because it opens up the possibility of an oracle attack. if you get the server to recreate a response that it already served to someone else, you will know because it will already be compressed. and also because there is a header that tells you if the brotli version comes from cache or not
this isn't a problem for the rest of the site, since any page or api endpoint that shows user info also has the actual user ID somewhere, so no other user can get the exact same page
however the front page shows personally identifiable information in which instances are shown but it is not unique per user. someone could craft a cookie (or many cookies) and find out which combinations of instances have been seen before. this is particularly damning if single-user instances are involved, or small instances where it would be easy to identify individual people based on the combination of instances they use.
info that could be gathered this way includes:
- an identifiable person has logged into forget recently, and the instances they have logged in with in the past (don't know if they have forget enabled)
- more? i don't know
this has been mitigated by the changes in #176, which move all instance usage information to the client. the server returns the same page for all, showing buttons for the most popular instances. those buttons are then replaced in client-side javascript.
there is still an endpoint, /api/known_instances
, which uses the old cookie and returns it verbatim, in order to make the transition from http-only cookie to client-side-only localStorage. oracle attacks on that endpoint are possible but mitigated by random padding causing every response to be virtually unique. that endpoint will only be hit once per browser per user after which the cookie is deleted, and sending hundreds of requests to try and get identical padding (good fuckin luck) will only cause legitimate requests to fall out of the cache faster
anyway thats my login button story thanks for reading
from forget.
Related Issues (20)
- Post delete turning up 404? HOT 1
- New endpoint to add arbitrary statuses HOT 1
- New component for uploading archives HOT 2
- idea: support deleting only certain types HOT 1
- Question: Favorite feature? HOT 2
- forget down??? HOT 1
- Misskey support
- no deletion is happening HOT 2
- [Feature request] Support to only delete replies on Mastodon
- Stuck again? HOT 4
- https://forget.codl.fr/ Down? HOT 5
- Warn user if deletion frequency is likely to hit a rate limit
- Add Minds.com support HOT 2
- what happens if fetch_current_batch_end is deleted before the batch is done being fetched?
- Remove dynamic brotli stuff?
- Not Showing Total Posts HOT 7
- Some of my posts are not being deleted / tracked!
- restore ci
- forget.codl.fr is down HOT 1
- versioneer and docker
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from forget.