PieFed has a similar API endpoint. It used to be scoped, but was changed at the request of app developers. It’s how people browse sites by ’New Comments’, and - for a GET request - it’s not really possible to document and validate that an endpoint needs to have at least one of something (i.e. that none of ‘post_id’ or ‘user_id’ or ‘community_id’ or ‘user_id’ are individually required, but there needs to be one of them).
It’s unlikely that these crawlers will discover PieFed’s API, but I guess it’s no surprise that they’ve moved on from basic HTML crawling to probing APIs. In the meantime, I’ve added some basic protection to the back-end for anonymous, unscoped requests to PieFed’s endpoint.
admiralpatrick@lemmy.world 6 days ago
Lemmy. I added a comment above LW wouldn’t let me edit the post.
Mine’s only extended with some WAF rules and I’ve got a massive laundry list of bot user agents that it blocks, but otherwise it’s pretty bog standard.
If instances have Anubis setup correctly (i.e. not in front of
/api/…
) then that might not help them since this is calling the API endpoint.OpenStars@piefed.social 6 days ago
All of a sudden your edits went through - perhaps a delay caused by this same issue?
Also some related posts:
* another one reporting similar attack-like activities https://lemmy.world/post/36413045
* a month ago similarly https://lemmy.world/post/34310429