Notices where this attachment appears
-
Embed this notice
Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:20:15 JST 
Kirino Kousaka
@DocScranton To be clear, you don’t have to worry about it as a single-user instance but still update!
I discovered the exploit while thinking of how to make my insult bot send out insults faster, I had the idea of reusing previous Media Attachment IDs so that it didn’t have to repeatedly upload files.
I tested this and it worked so on a whim I said “Huh, I wonder if I could POST someone else’s Media Attachment ID in my API call” and that worked. It was then I thought “Huh… these IDs look like they’re just a sequential series of numbers… “
I then had a VERY devious idea to see if private chats and DMs used the same list, which I found out they do. I coupled both these pieces of information together and thought “I wonder if I could attach someone else’s private Media Attachment ID to a public post” and it turns out YES, YOU CAN
In conclusion: On any public instances NO photos were actually private and it would only take a bad actor looping through all IDs in the object table until he found the photos for them to be leaked.
My initial report can be found here:
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.