If you're not using WebUI (not seedboxmaxxing) - this doesn't concern you tho.
Someone on alt reports a serious security vulnerability concerning qbittorrent WebUI instances, does so publicly outright in github issues without consulting anyone first, prompts hectic scramble for the creation of a security file and the race to figure out and fix the vulnerability (this took them 2 days)
Jump in the discussion.
No email address required.
Frick!
Snapshots:
archive.org
ghostarchive.org
archive.ph (click to archive)
This is an important find, but you really should have disclosed this privately to the developer before going public with it (their contact info is in the README), especially considering this works without any authentication. Posting it here has it in the clear for attackers to potentially exploit before the necessary fixes are available.:
archive.org
ghostarchive.org
archive.ph (click to archive)
Security through obscurity is no security at all:
archive.org
ghostarchive.org
archive.ph (click to archive)
thats not what he's saying, what he's saying is to disclose it responsibly. common practice is to report vulnerabilities like this privately so they can't be used by a malicious actor, then if nothing happens after a few months then disclose it publically. this is not the way to do:
archive.org
ghostarchive.org
archive.ph (click to archive)
That doesn't respect my freedom™ to use a better client.:
archive.org
ghostarchive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
Looks like Snappy is a
Jump in the discussion.
No email address required.
Indeed
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context