This was not a social engineering. It was a JavaScript injection that stole browser cookies, bypassing password changes and 2FA.
However, it seems lemmy.world was running a custom version of the UI. So it's possible that it only affected their instance. Hard to say at this point.
Nice. I had a similar idea bouncing around in my head, but didn't get around to implementing it.
The main hurdle for me was that there's no way to interact with the content (i.e., upvote, boost, comment, post.)
I can't see a way around this without either a private instance, or creating an account on each respective platform - this is a limitation of ActivityPub IMO. I'm curious as to your thoughts?