cat-trans

  • bleepbloopbop [they/them]
    ·
    edit-2
    7 months ago

    Wow. Whoever wrote your app... That sucks of them ngl. If there's a "hey the user deleted this" flag you should honor it. Though I mostly blame lemmy devs for giving them the opportunity to begin with, and I really don't think most people would expect to have to edit a comment to remove personal info or whatever they don't want people to see, when there's a delete button right there. Most of the time its harmless, yeah, but I still don't think we should be giving instructions on how to view deleted comments (potentially en masse), that's just giving the lowest effort assholes somewhere to dig for the 1% of deleted comments that are genuinely sensitive.

    My whole point is there's no way of spreading the word to every user of the site that doesn't also tip off attackers who might want to exploit this knowledge, and even if you pushed out a pinned post or DM to every user it would still not see perfect adherence. There needs to be a server side fix, and all the instances we're federated with need to upgrade as well, and in the meantime we probably shouldn't yell it from the rooftops. I guess its been like this for ages but... still, this is bad and should be taken seriously

    • BountifulEggnog [she/her]
      ·
      7 months ago

      To be fair to the app dev, I'm pretty sure it was unintentional. Just pointing out it's easier then having to write up a python script and working with apis.

      I really don't think most people would expect to have to edit a comment to remove personal info or whatever they don't want people to see

      I completely agree with you. Most users wouldn't think that.

      I think there'd be much better adherence if people understood how insanely easy it is. "hey guys, deleted comments are still readable" does that convey the same sense of urgency as "clicking this link shows you deleted comments"? I think without communicating how easy it is, people won't worry about it. I know I didn't when I thought the issue was federated servers being able to read comments, instead of literally anyone.

      I don't know. I kind of see what you're saying about new attackers realizing this, but this has been a known issue for a long time. Would they really not know? If they searched Google to figure out how to see deleted comments, I imagine you could find the issue quickly. Overall I'm not really a fan of security by obscurity either 🤷. More people knowing how to properly delete stuff is a clear upside too.

      And yea, this desperately needs a server side fix and I can't believe how long it's gone on without one. I'm not familiar with lemmy's code base, but a check for if the content is deleted doesn't seem like it would be hard.

      • bleepbloopbop [they/them]
        ·
        edit-2
        7 months ago

        its mildly annoying to figure out exactly how to implement it best (I've been looking at it all morning) but editing the ORM sql queries in https://github.com/LemmyNet/lemmy/blob/main/crates/db_views/src/comment_view.rs would be one way to do it that covers all the different api endpoints affected. The comments there indicate this was done knowingly/intentionally. The problem is if upstream lemmy says they don't want to change it we'd just be screwed. I think they'd be amenable but you never know

        Edit: it's already fixed upstream I'm a doodoohead