this post was submitted on 18 Jun 2023
19 points (100.0% liked)

Lemmy

12538 readers
7 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
nutomic@lemmy.ml
19
❗️Admins: REQUIRE E-MAIL VERIFICATION OR A CAPTCHA FOR REGISTRATION (i.ibb.co)
submitted 1 year ago by retiolus@lemmy.cat to c/lemmy@lemmy.ml
15 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.cat/post/6385

It is currently possible, through Lemmy's API, to create accounts automatically and without limit if verification by email address or captcha is not activated. I'd advise you to activate one or both of them NOW!

After registering x number of accounts (currently I could do thousands), all you have to do is list all the existing communities for each of the account to publishes one new post per community, or more. I'll leave you to picture the mess.

(I apologise to the administrators of sh.itjust.works, I should have done the test with my own server.)

top 15 comments
sorted by: hot top controversial new old
[–] Pekka@feddit.nl 5 points 1 year ago (1 children)

I was playing a bit with the API today and yea it might even be a bit too easy at the moment. You can easily use that army of Lemmy bots to upvote all your posts.

We should probably make it very clear in tutorials and setup guides that no email verification and no captcha is very insecure.

[–] retiolus@lemmy.cat 2 points 1 year ago

Stupid of me, I hadn't thought about upvotes, but it's clear that this is perhaps the most "quiet" and dangerous type of abuse.

[–] PenguinLover@lemmy.ml 3 points 1 year ago (1 children)

This is indeed not an ideal situation, but I guess on most instances this isn't possible. I agree instances should require a captcha of some sort for signing up.

[–] zeerooth@lemmy.antemeridiem.xyz 9 points 1 year ago (2 children)

Unfortunately lemmy devs removed captchas recently https://github.com/LemmyNet/lemmy/issues/2922 so email verification and/or rate limiting is probably the only real option for protection.

[–] EthicalAI@beehaw.org 2 points 1 year ago

That’s a major bad call. Companies like Google who maintain Captcha know the state of AI and will update captcha continuously to adapt.

[–] Pekka@feddit.nl 1 points 1 year ago

With tools like this (https://nopecha.com/) existing they might be right. This is not even the only tool, it really looks like captchas are no longer useful because of AI.

[–] stu@lemmy.pit.ninja 2 points 1 year ago

I saw some small instance owners saying they were going to enable open registration and I couldn't help thinking how bad an idea that sounded all around... For exactly a situation such as this inevitably emerging.

[–] ShortN0te@lemmy.ml 1 points 1 year ago (1 children)

Not sure how email verification should help. Just add a couple of line to role a email address and then open the verification link.

[–] retiolus@lemmy.cat 4 points 1 year ago (1 children)

If you don't have your own domain, it's hard to generate mass email addresses, at least with large providers.

So if someone uses his custom domain to mass-generate emails, it's easier to delete all accounts that use this same email provider.

[–] ShortN0te@lemmy.ml 0 points 1 year ago (1 children)

https://duckduckgo.com/?q=10+min+mail+api&t=fpas&ia=web

There are enough options out there. No need selfhost.

[–] T156@lemmy.world 1 points 1 year ago

True, but if it's from a known provider, you can block those as well (and they probably have their own mechanisms to deal with service abuse).

[–] maf@szmer.info 1 points 1 year ago (1 children)

+1 to that. Also the email domain matters. It's relatively easy to set up hundreds of disposable emails on random domains vs ones like Gmail.

Phone number is another solid anti abuse signal. SIM cards are harder to come by in large quantities.

[–] T156@lemmy.world 1 points 1 year ago (1 children)

Phone number is another solid anti abuse signal. SIM cards are harder to come by in large quantities.

Unless they use something like a VOIP, or just spoof the number. If they can do that to call other people, there's little reason to think that they could not use that information for registration.

The other thing to consider is that in the eventuality of a data breach, you're going to have the phone numbers of a bunch of users floating about, which is not ideal either.

[–] maf@szmer.info 1 points 1 year ago

Right. I meant is the SMS-based verification of phone numbers - it's not spoofable like the VoIP Caller ID. The downside is the cost imposed by the SMS gateway.

[–] Zaphodquixote@sh.itjust.works -1 points 1 year ago

Fuck captcha