cat-trans

    • SnowySkyes
      hexagon
      M
      ·
      7 months ago

      Yeesh. That’s aggravating. Good to know for the future. Thank you cat-trans

    • bleepbloopbop [they/them]
      ·
      edit-2
      7 months ago

      maybe don't give explicit instructions on how to do that (yes I know it's trivial for anyone with a little knowledge or time to spend), considering its an unfixed hole and no amount of spreading the word will get everyone on the site to change their behavior around deletes. But this is really frustrating and should have been fixed ages ago. Ah Lemmy... :/

        • bleepbloopbop [they/them]
          ·
          7 months ago

          no, it is a hole, intentional or not, and a major violation of user trust. They can retain it in the DB for 30 days, but there is no justifiable reason to hand out the content of deleted comments, posts, user profiles, anything, to literally any person or script that asks for it

      • BountifulEggnog [she/her]
        ·
        7 months ago

        it's trivial for anyone with a little knowledge or time to spend

        My app can show by default, so it's even easier then that.

        I don't know, if I posted something super personal I'd edit it after learning about that. Most of the time it's just a joke I don't think will land so 🤷 who cares. I think that's the case for a lot of people.

        • bleepbloopbop [they/them]
          ·
          edit-2
          7 months ago

          Wow. Whoever wrote your app... That sucks of them ngl. If there's a "hey the user deleted this" flag you should honor it. Though I mostly blame lemmy devs for giving them the opportunity to begin with, and I really don't think most people would expect to have to edit a comment to remove personal info or whatever they don't want people to see, when there's a delete button right there. Most of the time its harmless, yeah, but I still don't think we should be giving instructions on how to view deleted comments (potentially en masse), that's just giving the lowest effort assholes somewhere to dig for the 1% of deleted comments that are genuinely sensitive.

          My whole point is there's no way of spreading the word to every user of the site that doesn't also tip off attackers who might want to exploit this knowledge, and even if you pushed out a pinned post or DM to every user it would still not see perfect adherence. There needs to be a server side fix, and all the instances we're federated with need to upgrade as well, and in the meantime we probably shouldn't yell it from the rooftops. I guess its been like this for ages but... still, this is bad and should be taken seriously

          • BountifulEggnog [she/her]
            ·
            7 months ago

            To be fair to the app dev, I'm pretty sure it was unintentional. Just pointing out it's easier then having to write up a python script and working with apis.

            I really don't think most people would expect to have to edit a comment to remove personal info or whatever they don't want people to see

            I completely agree with you. Most users wouldn't think that.

            I think there'd be much better adherence if people understood how insanely easy it is. "hey guys, deleted comments are still readable" does that convey the same sense of urgency as "clicking this link shows you deleted comments"? I think without communicating how easy it is, people won't worry about it. I know I didn't when I thought the issue was federated servers being able to read comments, instead of literally anyone.

            I don't know. I kind of see what you're saying about new attackers realizing this, but this has been a known issue for a long time. Would they really not know? If they searched Google to figure out how to see deleted comments, I imagine you could find the issue quickly. Overall I'm not really a fan of security by obscurity either 🤷. More people knowing how to properly delete stuff is a clear upside too.

            And yea, this desperately needs a server side fix and I can't believe how long it's gone on without one. I'm not familiar with lemmy's code base, but a check for if the content is deleted doesn't seem like it would be hard.

            • bleepbloopbop [they/them]
              ·
              edit-2
              7 months ago

              its mildly annoying to figure out exactly how to implement it best (I've been looking at it all morning) but editing the ORM sql queries in https://github.com/LemmyNet/lemmy/blob/main/crates/db_views/src/comment_view.rs would be one way to do it that covers all the different api endpoints affected. The comments there indicate this was done knowingly/intentionally. The problem is if upstream lemmy says they don't want to change it we'd just be screwed. I think they'd be amenable but you never know

              Edit: it's already fixed upstream I'm a doodoohead