Hmm noting that yarnd password change function is insecure by design and should be fixed 🤔

@lyse@lyse.isobeef.org Well basically if you try to reset your password today, it assumes you are a) logged in and b) you are who you say you are. There is no verification of your old password, no identify verification. So if somehow someone managed to hijack your session or something…

@lyse@lyse.isobeef.org Yeah true! Um not even sure how realistic hijacking’s a session really is? 🤔

@prologic@twtxt.net It’s more likely that someone gets unauthorized access to your computer and deletes your account through the web UI. You should probably have to type in your password to delete your account.

@mckinley@twtxt.net Agreed!

@lumen@tw.lumen.pink Ahh good to know, so less likely to worry about 👌 (hijacking sessions that is)