this post was submitted on 10 Jul 2023
79 points (93.4% liked)

Lemmy

12572 readers
1 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

The Lemmy.world hack made a good opportunity to explore other instances out there. Found one based in my area. Back in action!

top 19 comments
sorted by: hot top controversial new old
[–] wetnoodle@sh.itjust.works 20 points 1 year ago (1 children)

ayy nice I made a few different accounts on my first day and have added a few since especially in case of crazy things like this happeningπŸ˜‚

[–] Moohamin12@lemm.ee 9 points 1 year ago (1 children)

Same here.

I have one on Kbin too.

[–] Gamers_Mate@lemmy.ml 7 points 1 year ago

I have one on .world but I have stopped using it until they decide to defederate with meta. I also have a kbin social account. Which is also nice place to use if .ml goes down from the lemmy vulnerability.

[–] bev@lemmy.world 10 points 1 year ago (1 children)

Afaik, unless lemmy.ml had patched the vulnerability like the lemmy.world folks, the instance is susceptible to the vulnerability.

[–] AzuleBlade@lemmy.world 8 points 1 year ago (1 children)

I almost made the rash, uninformed decision to close up shop on lemmy.world and move my community to another instance. Luckily I did some further reading, and yeah, unless whatever other instance I jumped ship to was also patched I would have just been wasting my time since this is a vulnerability in the Lemmy code and affects all instances until the admins apply a bandaid/the code is fixed.

[–] Railison@aussie.zone 1 points 1 year ago (2 children)

It’s possible to move communities to other instances? How’s it work?

[–] AzuleBlade@lemmy.world 5 points 1 year ago* (last edited 1 year ago)

Not really, unfortunately. You'd have to create the community on a different instance, make a sticky post in the original community redirecting them to the new community, and then lock the community to prevent new posts. If you don't have a lot of content in the original community, or don't care about keeping it, you could delete the community after a week or two once people have subscribed to the new community to prevent confusion.

[–] T156@lemmy.world 2 points 1 year ago

It isn't possible just yet, although there are issues on Lemmy's github for it.

[–] sabreW4K3@lemmy.tf 9 points 1 year ago (3 children)
[–] Kezza596@feddit.uk 8 points 1 year ago

Currently, far as I know. Blahaj seems to have gone down too

[–] BrooklynMan@lemmy.ml 5 points 1 year ago

its back up, btw

[–] TheSaneWriter@lemm.ee 4 points 1 year ago

The past few hours, it was recent.

[–] Yeah2206@infosec.pub 6 points 1 year ago

XSS vulnerbility hack. From a mod:

https://lemmy.blahaj.zone/post/766402

[–] gabriele97@lemmy.g97.top 2 points 1 year ago (1 children)
[–] towerful@programming.dev 7 points 1 year ago* (last edited 1 year ago)

From what I have read so far....

XSS injection in custom emojis.
Essentially, custom emojis used by instances could allow a malicious actor to execute arbitrary code on clients that saw the emoji (within the scope of the website).
There is speculation about links and other vectors, but those aren't clear yet. But the successful attacks have been tracked back to emojis.

The emojis aren't federated, so it would only affect users of that instance that viewed the emoji during the attack.

The injected script (as it was being execute as part of the client UI, thus trusted) had access to the client cookies for the instance.
It would steal the JWT tokens stored in the cookies and send them to a 3rd party site.

Tokens of Admins were then used by the attackers to deface the sites.

It's unclear what user data would have been vulnerable during this time - still being investigated.
There is a high likelihood that this is a GDPR reportable incident.

The fix is for admins to delete all custom emojis via the database, then rotate JWT secrets.
Rotating the secrets invalidates all users JWTs, so everyone has to log in again. This also invalidates the stolen JWTs.

[–] Waluigi@feddit.de 1 points 1 year ago (2 children)

On that note: does anybody know when or even if lemmy.world will be up again? Right now I'm using an alt account but I've got a main one and a community on .world and I couldn't really find any information on how it's going over there.

[–] T156@lemmy.world 4 points 1 year ago

It's already a done issue, but you will need to log back in and refresh your cookies/cache.

[–] Waluigi@feddit.de 2 points 1 year ago (1 children)

Also, are my Passwords at risk?

Probably not, but you should change it anyway. Use a password manager so none of your accounts have the same password.

load more comments
view more: next β€Ί