Conversation

Notices

1. Embed this notice
   Bill (sempf@infosec.exchange)'s status on Thursday, 29-Aug-2024 00:43:55 JST Bill

   Has anyone done any vulnerability assessment to determine if the Personal Note you can leave for an account might be accidentally visible to the referred user? #mastodon

   • Embed this notice
     BeAware :fediverse: (beaware@social.beaware.live)'s status on Thursday, 29-Aug-2024 00:43:54 JST BeAware :fediverse:

     in reply to

     @Sempf I've never heard of such a thing unless you're taking screenshots of profiles and posting them or allowing them access to your account.

   • Embed this notice
     BeAware :fediverse: (beaware@social.beaware.live)'s status on Thursday, 29-Aug-2024 00:48:33 JST BeAware :fediverse:

     in reply to

     @Sempf oh, nah I don't think there's any more authorization than an extra bit of information tied to your account. Just like your profile info or anything else on your account.

     I didn't say it was supposed to be that way either, I said I didn't ever hear of such a thing like user notes being revealed happening.

     I'm *really* active here and I'm pretty sure I would've heard about it if it happened before.🤷♂️

   • Embed this notice
     Bill (sempf@infosec.exchange)'s status on Thursday, 29-Aug-2024 00:48:34 JST Bill

     in reply to

     • BeAware :fediverse:

     @BeAware Well, no I'm not suggesting it is SUPPSED to be that way. I'm just thinking, as a dev, that would be an authorization that would have to be specially written for that one feature, and it could be messed up. That's all.

   • Embed this notice
     Bill (sempf@infosec.exchange)'s status on Thursday, 29-Aug-2024 00:53:56 JST Bill

     in reply to

     • BeAware :fediverse:

     @BeAware Yeah, I haven't heard of anything either, but often the issues arise where no one knows to look, ya know what I mean?

   • Embed this notice
     BeAware :fediverse: (beaware@social.beaware.live)'s status on Thursday, 29-Aug-2024 00:53:56 JST BeAware :fediverse:

     in reply to

     @Sempf so were you not expecting a response? 🤔

     I'm just confused, if you think nobody has found out such a vulnerability and nobody would know where to look, why did you post it as a question?🤷♂️

     Sure, it could have vulnerabilities, but I'd also be worried about overall account vulnerabilities in that case because it's tied to your account.