Feedback Technical Grievances

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
A bug in an upstream package we rely on caused two users overnight to land in someone else's logged-in session. To be clear on scope: this only affects the Kiwi Farms account itself. It does not expose the other user's browser history, device, or anything outside the site.

The package maintainers identified this as a race condition in their http2 code and have already pushed fixes. I've pulled in the changes and believe it's resolved, but I'd rather confirm with user reports than just assume.

If you find yourself logged into an account that isn't yours, email me, DM me, or post in TTS. Please include:

1. What you were doing
2. What part of the site you were on
3. Which domain you use (.st? .onion?)
4. Whether you're on VPN/Tor/Public Network
5. Whether you were opening a bunch of tabs or clicking around quickly
6. Whether you'd interacted with the Alerts/Conversations/Bookmarks panel
7. Whether you'd hit an error page (like opening an attachment that no longer exists)

Tartarus multiplexes http2 connections to the backend Kiwi Farms server. This has worked fine for months, but recent commits to the upstream http2 packages we use flag race conditions in the multiplexer. Likely failure mode: multiplexed responses getting routed to the wrong client. Because XenForo continuously resends Set-Cookie headers with session tokens, an active user (opening lots of tabs, like both affected users were) would trip it. The upstream fixes line up with exactly this behavior.

P.S. This fix might also fix the issue with the site hanging and refusing to load many people were experiencing.
 
Last edited:
Null said:
A bug in an upstream package we rely on caused two users overnight to land in someone else's logged-in session. To be clear on scope: this only affects the Kiwi Farms account itself. It does not expose the other user's browser history, device, or anything outside the site.

The package maintainers identified this as a race condition in their http2 code and have already pushed fixes. I've pulled in the changes and believe it's resolved, but I'd rather confirm with user reports than just assume.

If you find yourself logged into an account that isn't yours, email me, DM me, or post in TTS. Please include:

1. What you were doing
2. What part of the site you were on
3. Which domain you use (.st? .onion?)
4. Whether you're on VPN/Tor/Public Network
5. Whether you were opening a bunch of tabs or clicking around quickly
6. Whether you'd interacted with the Alerts/Conversations/Bookmarks panel
7. Whether you'd hit an error page (like opening an attachment that no longer exists)

Tartarus multiplexes http2 connections to the backend Kiwi Farms server. This has worked fine for months, but recent commits to the upstream http2 packages we use flag race conditions in the multiplexer. Likely failure mode: multiplexed responses getting routed to the wrong client. Because XenForo continuously resends Set-Cookie headers with session tokens, an active user (opening lots of tabs, like both affected users were) would trip it. The upstream fixes line up with exactly this behavior.

P.S. This fix might also fix the issue with the site hanging and refusing to load many people were experiencing.
Click to expand...
I appreciate the transparency, but I have to ask. How long has this issue been present in said upstream package, if you know? Being able to basically waltz on into anyone else's account does pose some security concerns.
 
Likewise appreciate the heads-up; is there a specific identifier used to link account login data with IP location to confirm identity? I know that there's always the issue of using a VPN, so I'm just asking in general.
 
Snorky said:
I appreciate the transparency, but I have to ask. How long has this issue been present in said upstream package, if you know? Being able to basically waltz on into anyone else's account does pose some security concerns.
Click to expand...
It hasn't been reported since 4am last night and then again at 9am and not before then.
 
I love gay sex and aids and anal and oral sex gay yum yum yum butthole penis nipple.

Edit: this wasn't me guys I don't know who is doing this to my account but I'm not gay and I do not like men please ignore this post
 
Null said:
Works for me. Tested on mobile Tor. Did you get a Tartarus page?

Edit: it's the http version only
Click to expand...
Screenshot_2026-05-09-09-08-35-61_2ee41f386276cb67fc25e675f8c13b4d.jpg
No tartarus, kiwiflare, nothing.
 
Something strange going on with uploading animated .webp, - though animated .gif still works.

Interestingly, when I asked Claude to convert the .webp to .avif hoping that would fix it - it tried and failed (but thought it had succeeded.) If your current media setup is turning this stuff into .avif on the backend using ffmpeg, it may result in the same failure Claude had?

Screenshot_2026-05-09_18-23-47.png
Screenshot_2026-05-09_18-10-15.png

Brave/Mullvad/Linux Mint

The two attachments below are ones I've both successfully loaded into the avatar on prior occasions.
 

Attachments

Kind of a small potatoes thing but it is a bit of an inconvenience: for videos when you right-click and select "download media" is there a way to either go directly to the "Save as" screen or at least open the media in another tab to save? Opening the media in the same tab, leaving the thread, is a little annoying. Even enabling middle-mouse or ctrl+left click to open that option in a new tab would be better.
 
A small problem I’ve had the last few days is that on mobile (iPad) certain pages just simply won’t load. The site works fine in most places but a few user profiles and some specific thread pages seemingly load and then quickly throw up errors. It doesn’t feel related to media loads and those same pages also fail on a different browser logged out. No issues on desktop though.
IMG_1309.pngIMG_1308.pngIMG_1307.pngIMG_1310.png
 
You must log in or register to reply here.
Back
Top Bottom