• Saik0@lemmy.saik0.com
    link
    fedilink
    English
    arrow-up
    30
    ·
    1 year ago

    While the login system works…

    It’s ripe for abuse though. DMs are federated traffic and are not cryptographically secured in any form. So in theory a bad actor instance admin could spawn unlimited accounts and login… Or just sniff incoming requests from whatever instance this traffic is spawned from and obtain the login code.

    For something like this, probably fine… But I wouldn’t use it for anything else, nor would I trust any app that does use this system.

    • Shadow@lemmy.ca
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      1 year ago

      Their original system required you to enter your creds + OTP, so this is a huge improvement 🤣

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That’s how I just logged in.

        Gave instance, username on instance, and received inbox message on my lemmy instance. (also sniffed the message cause I was curious since I’m my instance admin)

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I think they meant that too… But that’s not what was provided to login.

            I would not give up my instance password to another person. The list I provided was what I specifically provided.