388
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 10 Jul 2023
388 points (99.2% liked)
Fediverse
17734 readers
42 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 5 years ago
MODERATORS
Yep, same. It was also the most likely scenario.
It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.
The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.
Oh man, that would be brutal if they are resetting the password and it isn't kicking the attacker out...
JWT issue opened 4 days ago: https://github.com/LemmyNet/lemmy/issues/3499
The issue does say changing the password should kick the user out, but yeah, still not good.
This issue from 2 weeks ago was the one I was thinking of, it's worse: https://github.com/LemmyNet/lemmy/issues/3364
Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.
I hope the admin team is aware of this - not sure how one would even contact them.
Well, provided top level admin access to the server is still protected, a manual DB change ought to be rather doable right?
As for contacting the admins ... the lead admin, ruud, is on mastodon and also admins one of the largest mastodon instances: mastodon.world. They are Dutch however, which means they're likely asleep right now.
All of which raises the broader point about what good admin practice is. This is something the fediverse needs to get better at. In this case, as a bare minimum, every admin should be reachable at a location outside of their own instance.
Ideally, IMO, there'd be an "admin backline protocol" of some sort, where it's super easy or even automatic that every admin of every instance can have an account on any instance they federate with for the purposes of communication etc.