I was trying to automate mining a token to bypass the Anubis deployment on lore.kernel.org, and noticed that submitting the same token twice got two different signed cookies.
This seems like a bug, exchanging a mined token for an auth cookie should immediately remove the ability to use it again, or there is a double spend vulnerability. I'm not sure if this is a configuration error, but thought I'd report it to investigate.
I mined (and spent) this token yesterday and it still works:
$ curl -AMozilla -I --cookie "techaro.lol-anubis-cookie-test-if-you-block-this-anubis-wont-work=5d73
7f0600ff2dd" 'https://lore.kernel.org/.within.website/x/cmd/anubis/api/pass-challenge?response=000043f7c4392a781a04419a7
cb503089ebcf3164e2b1d4258b3e6c15b8b07f1&nonce=47224&redir=/&elapsedTime=120'
HTTP/2 302
...
set-cookie: techaro.lol-anubis-auth=eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9
If I look inside, it's valid for another 7 days:
$ base64 -d <<< eyJhY3Rpb24iOiJDSEFMTEVOR0UiLCJjaGFsbG... | jq
{
"action": "CHALLENGE",
"challenge": "5d737f0600ff2dd",
"exp": 1756308442,
"iat": 1755703642,
"method": "fast",
"nbf": 1755703582,
...
$ date --date @1756308442
Wed Aug 27 08:27:22 PDT 2025
That's 7 days from today, not when I mined it.
I was trying to automate mining a token to bypass the Anubis deployment on lore.kernel.org, and noticed that submitting the same token twice got two different signed cookies.
This seems like a bug, exchanging a mined token for an auth cookie should immediately remove the ability to use it again, or there is a double spend vulnerability. I'm not sure if this is a configuration error, but thought I'd report it to investigate.
I mined (and spent) this token yesterday and it still works:
If I look inside, it's valid for another 7 days:
That's 7 days from today, not when I mined it.