I see a very small minority of people using Kbin, but I don’t understand why.

Is this just a coincidence and did some people choose Kbin over Lemmy or is there a good reason to use Kbin?

  • mrbubblesort@kbin.social
    link
    fedilink
    arrow-up
    22
    arrow-down
    1
    ·
    1 year ago

    Kbin’s UI is just better. I realize both can be customized, but I’d prefer not to mess around with any of that yet. Plus I know people on mastadon, so that sealed it for me.

    • Freeman@lemmy.pub
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      1 year ago

      Customizations brought vulns on Lemmy with the custom emojis introducing XSS vulns and a few takeovers in the recent weeks.

      • Swedneck@discuss.tchncs.de
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        but that’s not the fault of the UI, that’s the fault of the server and/or operator for allowing something like that to be even theoretically possible in the first place.

        This is why you place UIs on separate domains from the servers, and always treat user input like it’s radioactive AND toxic.

        • Freeman@lemmy.pub
          link
          fedilink
          arrow-up
          9
          arrow-down
          1
          ·
          1 year ago

          The custom emoji’s was a developed feature of Lemmy pushed out in their UI code. Even the project mainters instance was affected. Its why 0.18.2 was released.

          https://join-lemmy.org/news/2023-07-11_-_Lemmy_Release_v0.18.2

          Thats not on server/infra operators. It was a vuln in the core UI code. Some operators DID patch it themselves (i think Beehaw is one), others were less affected (ie: My instance is closed and i dont use custom emjis anyhow), but those are features introduced by the maintainers and some of the bigger instances would get requests for them anyhow. So it was a problem.

          • Swedneck@discuss.tchncs.de
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            but the fundamental vulnerability is not in the UI, by that logic you could just run your own UI and get into servers without issue, the vulnerability is always in either the server software or in the specific deployment.

              • Swedneck@discuss.tchncs.de
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                1 year ago

                again, that makes no sense whatsoever, by that logic anyone can just merrily wreak havoc by using a client specially made to have vulnerabilities.

                • snowe@programming.dev
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  It was a csrf issue. The vulnerability isn’t on the attackers side, it’s on the user’s side. I’m telling you this as the owner of the instance. I’m sorry, but you are wrong here.