Normal :jo_2: :v_enby:

> Looks like I accidentally breached Converso's user database. The users collection, which is open to the internet and publicly accessible, contains the registration details for every Converso user.

oh my FUCKING GOD

how can you fail this hard

just how

holy-

11 May 2023 at 9:55 | Open on tech.lgbt

Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress

> Phone numbers, registration timestamps, and the identifiers of groups they're in (i.e. who is talking to who).

*chokes*

11 May 2023 at 9:56 | Open on tech.lgbt

Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress

> selfDestruct: <time-to-live>, // optional

this HAS to be a joke

11 May 2023 at 9:58 | Open on tech.lgbt

Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress

> So private keys are being backed up to Seald's servers, encrypted with user passwords.

(Passwords are user IDs)

@julialuna I swear to god I was just joking, holy fuck, what the fuck

11 May 2023 at 10:00 | Open on tech.lgbt

Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress @julialuna

> "How were you able to decompile the source code of the app and what do you think should be done to protect against that in the future?"

*tired sigh*

11 May 2023 at 10:03 | Open on tech.lgbt

Normal :jo_2: :v_enby: replied to Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress @julialuna

> "May we know what you do and where you are located? Thank you."

mmmyes, mob boss tactics, or simply classist corporate "are you worth our time with your status" brainworm

11 May 2023 at 10:04 | Open on tech.lgbt

Normal :jo_2: :v_enby: replied to Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress @julialuna

> "The vulnerability with Firebase rules have been patched and you are welcome to test it out. The other vulnerability of preset decryption keys has been implemented on our side, we are only waiting to get new credentials so that existing users will be reauthenticated. However, all existing messages sent with the old decryption keys are protected by firebase rules so they still cannot be read by outside parties."

...I, what?

"We have closed the door"

...okay, have you fixed the vulnerabilities? Have you nuked your app and started over? Is this just a "oh shit this must go away" manoeuvre?

Honestly this doesn't astonish me, this gets me super angry, because these fuckers are getting away with it by patching their largest hole while saying that fixed the thousands of leaks in their Swiss cheese ship

I'm just tired, what the fuck

@AgathaSorceress @julialuna

Expand text...

11 May 2023 at 10:07 | Open on tech.lgbt

Normal :jo_2: :v_enby: replied to Normal :jo_2: :v_enby:

spoilers

@AgathaSorceress @julialuna honestly after reading this I'm just so fucking tired

This app gets away with 0 scrutiny while it fails every security practice while doing a backflip, and matrix gets condemned to hell when E2EE is a little weaker than assumed

(And even then, people are working hard to fix that weakness right now, while this app just hides their mistakes)

Jesus fucking Christ, it doesn't even compare, even matrix's security is a thousand times better than this glorified piece of shit, while it gets dumped because it's not perfect enough. Meanwhile this goes through and is recommended to a lot of people through misleading advertisement tactics

I love Capitalism and FOSS culture (not)

@AgathaSorceress @julialuna honestly after reading this I'm just so fucking tired

This app gets away with 0 scrutiny while it fails every security practice while doing a backflip, and matrix gets condemned to hell when E2EE is a little weaker than assumed

(And even then, people are working hard to fix that weakness right now, while this app just hides their mistakes)

Expand text...

11 May 2023 at 10:13 | Open on tech.lgbt