smell that? that's the smell of another two fresh vulns in federated software. nostalgic, with a small hint of untrusted input~
don't think i would make a very good job doing vulnerability research because these just sometimes come up. like "hey i never really looked at [component]" and i start building a mental map of interactions this has with other components, and realise it touches the other parts perfectly to cause issues
i say this because at some point i wonder how much it'd be worth it to even report these anymore. i started doing it because i believed i could make other people realise that security can't just be an afterthought, but that people should cooperate and look at each other's mistakes. and what happens? people repeat the same mistakes. Mastodon, Pleroma, Pixelfed, all of those /seperately/ i reported that they trusted object IDs. it just keeps happening. it's like whack-a-mole. fix the bug in one place, it pops up in another place.