I think I was refreshing my profile or notifications page (forget which). As it was loading for ~1—2 seconds my screen color theme changed and in the top right corner I saw someone else’s userID, then it quickly reverted back to my theme and userID.

As fast as it happened I only took mental note of the first half of the other userID, which happened to match that of the admin. I described the colors I saw in that 1—2 second timeframe to the admin who confirmed it was indeed the color theme they configured for their environment (which differs from the default).

I clearly had the admin’s session for a second or two. It was so quick that a malicious user probably could not do anything malicious. But of course just as I have no idea how I apparently got the admin’s cookie for a second or two, I have no idea how I got back my cookie. Maybe if I had quickly hit ESC mid-loading the access breach could have been sustained.

#lemmyBug


As usual, this bug report is posted here because the official bug tracker is jailed in MS Github. I should add that Microsoft supports those responsible for the death of Hind Rajab by financing AnyVision, which is good cause to boycott Microsoft.

  • freedomPusher@sopuli.xyzOPM
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    6 months ago

    UPDATE: it just now happened again, but this time not with the admin account (@QuentinCallaghan@sopuli.xyz) but with another user account. I was refreshing my profile and the user @baltakatei@sopuli.xyz appeared in the profile pulldown position on the page with my profile. This time I had time to take a screenshot before it changed:

    It’s interesting that it shows my profile page but not as I see it. That is, when I visit my own profile page I normally have a “subscribed” sidebar. This shows what someone else would see if they visit my profile while they are logged in, which still differs from what a logged out profile looks like (as send msg options were given). So I wonder if I could have sent myself a msg.