Feedback Technical Grievances

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
A bug in an upstream package we rely on caused two users overnight to land in someone else's logged-in session. To be clear on scope: this only affects the Kiwi Farms account itself. It does not expose the other user's browser history, device, or anything outside the site.

The package maintainers identified this as a race condition in their http2 code and have already pushed fixes. I've pulled in the changes and believe it's resolved, but I'd rather confirm with user reports than just assume.

If you find yourself logged into an account that isn't yours, email me, DM me, or post in TTS. Please include:

1. What you were doing
2. What part of the site you were on
3. Which domain you use (.st? .onion?)
4. Whether you're on VPN/Tor/Public Network
5. Whether you were opening a bunch of tabs or clicking around quickly
6. Whether you'd interacted with the Alerts/Conversations/Bookmarks panel
7. Whether you'd hit an error page (like opening an attachment that no longer exists)

Tartarus multiplexes http2 connections to the backend Kiwi Farms server. This has worked fine for months, but recent commits to the upstream http2 packages we use flag race conditions in the multiplexer. Likely failure mode: multiplexed responses getting routed to the wrong client. Because XenForo continuously resends Set-Cookie headers with session tokens, an active user (opening lots of tabs, like both affected users were) would trip it. The upstream fixes line up with exactly this behavior.

P.S. This fix might also fix the issue with the site hanging and refusing to load many people were experiencing.
 
Last edited:
Null said:
A bug in an upstream package we rely on caused two users overnight to land in someone else's logged-in session. To be clear on scope: this only affects the Kiwi Farms account itself. It does not expose the other user's browser history, device, or anything outside the site.

The package maintainers identified this as a race condition in their http2 code and have already pushed fixes. I've pulled in the changes and believe it's resolved, but I'd rather confirm with user reports than just assume.

If you find yourself logged into an account that isn't yours, email me, DM me, or post in TTS. Please include:

1. What you were doing
2. What part of the site you were on
3. Which domain you use (.st? .onion?)
4. Whether you're on VPN/Tor/Public Network
5. Whether you were opening a bunch of tabs or clicking around quickly
6. Whether you'd interacted with the Alerts/Conversations/Bookmarks panel
7. Whether you'd hit an error page (like opening an attachment that no longer exists)

Tartarus multiplexes http2 connections to the backend Kiwi Farms server. This has worked fine for months, but recent commits to the upstream http2 packages we use flag race conditions in the multiplexer. Likely failure mode: multiplexed responses getting routed to the wrong client. Because XenForo continuously resends Set-Cookie headers with session tokens, an active user (opening lots of tabs, like both affected users were) would trip it. The upstream fixes line up with exactly this behavior.

P.S. This fix might also fix the issue with the site hanging and refusing to load many people were experiencing.
Click to expand...
I appreciate the transparency, but I have to ask. How long has this issue been present in said upstream package, if you know? Being able to basically waltz on into anyone else's account does pose some security concerns.
 
Likewise appreciate the heads-up; is there a specific identifier used to link account login data with IP location to confirm identity? I know that there's always the issue of using a VPN, so I'm just asking in general.
 
Snorky said:
I appreciate the transparency, but I have to ask. How long has this issue been present in said upstream package, if you know? Being able to basically waltz on into anyone else's account does pose some security concerns.
Click to expand...
It hasn't been reported since 4am last night and then again at 9am and not before then.
 
I love gay sex and aids and anal and oral sex gay yum yum yum butthole penis nipple.

Edit: this wasn't me guys I don't know who is doing this to my account but I'm not gay and I do not like men please ignore this post
 
You must log in or register to reply here.
Back
Top Bottom