Hmm noting that yarnd password change function is insecure by design and should be fixed 🤔

@prologic@twtxt.net How come?

@lyse@lyse.isobeef.org Well basically if you try to reset your password today, it assumes you are a) logged in and b) you are who you say you are. There is no verification of your old password, no identify verification. So if somehow someone managed to hijack your session or something…

@prologic@twtxt.net Ah, ok. But you actually have to be logged in. It doesn’t just assume it. At least it tried it in the web UI. It would be nice to confirm the password by retyping it into a second field, so typos are caught.

@lyse@lyse.isobeef.org Yeah true! Um not even sure how realistic hijacking’s a session really is? 🤔

@prologic@twtxt.net It’s more likely that someone gets unauthorized access to your computer and deletes your account through the web UI. You should probably have to type in your password to delete your account.

I share your opinions, @mckinley@twtxt.net and @lumen@tw.lumen.pink.

@mckinley@twtxt.net Agreed!

@lumen@tw.lumen.pink Ahh good to know, so less likely to worry about 👌 (hijacking sessions that is)