I think for a while leading up to the recent session stealing hack, there has been a massive amount of positivity from Lemmy users around all kinds of new Lemmy apps, frontends, and tools that have been popping up lately.

Positivity is great, but please be aware that basically all of these things work by asking for complete access to your account. When you enter your Lemmy password into any third party tool, they are not just getting access to your session (which is what was stolen from some users during the recent hack), they also get the ability to generate more sessions in the future without your knowledge. This means that even if an admin resets all sessions and kicks all users out, anybody with your password can of course still take over your account!

This isn’t to say that any current Lemmy app developers are for sure out to get you, but at this point, it’s quite clear that there are malicious folks out there. Creating a Lemmy app seems like a completely easy vector to attack users right now, considering how trusting everybody has been. So please be careful about what code you run on your devices, and who you trust with your credentials!

  • nekat_emanresu@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    You two have no idea do you? lol

    When you pass your password into an app, it can just copy and store it. If at any point you put a password through, even once, its compromised and no password manager will help in the slightest.

    I make bobApp, you download bobApp, if you put a password into it, you are done.

    edit: answering both of you.

    Then i misunderstood. After i typed this I noticed others said what you meant. My bad.

    • jiji@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      I think their point is password managers make it very easy to have completely unique passwords, and if your Lemmy password is compromised you can change it without worrying about any other accounts being compromised. Not that a manager would magically protect you from ever being compromised.

    • pizzahoe@lemm.ee
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      I think you misunderstood us lol… we’re not saying your password will not get leaked by the app… we’re saying it’s gonna be unique and random bullshit generated so the hacker won’t be able to get to your other accounts since passwords are different.

    • TheSaneWriter@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      You’re correct, but by maintaining distinct passwords with a password manager you make sure only the one account is compromised. 2FA also helps, you may have the username and password, but the 2FA code that you were given needs to be used immediately or else it will expire, and an expired 2FA code won’t allow you to successfully breach the account you’re trying to break into to.