All systems restored, security fix installed (0.18.2) (self.announcements)

submitted 1 year ago* (last edited 1 year ago) by dcx to c/announcements

-5 comments fedilink hide all child comments

Update: Federation and community creation are now back online!

Hey all, there's a hack floating around which spreads via federated comments and steals users' Lemmy auth tokens. Lemmy.world and other large instances have been hacked, so we're taking some precautions until this is fixed:

We're logging everyone out so that auth tokens reset
We're closing off federation and community creation until this is patched

FYI, there are no indications that anyone on our instance has been hacked. We did find ten comments with the code injection attack, which we've now scrubbed. But it's very unlikely that this will cause harm at this stage. There are several steps between this and hacking the entire instance. (Also FYI for nontechnical users, the hack affected Lemmy logins and nothing else. Web browsers run all websites in a kind of "jail")

Sorry for the inconvenience – growing pains. Updates to come as we learn more!

all 19 comments

sorted by: hot top controversial new old

[-] piece_of_cake 2 points 1 year ago

Thank you. I was bewildered by the earlier announcement but you have laid it out a lot clearer here.

[-] dcx 1 points 1 year ago

Sorry about that, it took us a while to figure out what was going on!

At the end of the day we're a community project, not a commercial one, so we don't have full time sysadmin hands on deck 24/7 etc. (But ultimately I think this is totally fine for what we are! And ultimately non-commercial is more sustainable for online communities IMO)

[-] Annoyed_Crabby 1 points 1 year ago

I'm sorry if my statement cause you any confusion (シ_ _)シ

[+] zen 1 points 1 year ago* (last edited 11 months ago)

[deleted]

[-] dcx 1 points 1 year ago* (last edited 1 year ago)

I'd prefer not to until we install a patch, since the exploit seems viral in nature (compromise one instance, use that to compromise the next, etc). So trusting one is like trusting all

We're testing that in dev so we might refederate later tonight. Or maybe tomorrow

[-] aerir 1 points 1 year ago

No wonder I couldn't see the posts from here today from my instance. Anyway RC2 is out, which should fix this XSS vulnerability

[+] zen 1 points 1 year ago* (last edited 11 months ago)

[deleted]

[-] aerir 1 points 1 year ago* (last edited 1 year ago)

Wouldn't be too fussed about it tbh, can never play it too safe when it comes to such incidents.

edit-mmm still can't see the posts here from my instance, sadge

[-] ruk_n_rul 1 points 1 year ago

Ah, didn't realize there's a site sticky. Sorry about the other post. Everyone pening dealing with this ig. Sucks to not be on PC.

Still not sure if comments loaded from other instances with custom emoji (the vector of this exploit) can trigger the exploit here, but since we defederated there shouldn't be a way for it to get in, I hope.

[-] dcx 1 points 1 year ago

No problemo. Seriously, thanks for the concern! And yeah we think we're as safe as we can make us for the time being.

this post was submitted on 10 Jul 2023

6 points (100.0% liked)

Announcements

230 readers

1 users here now

founded 1 year ago

MODERATORS

dcx

hyattpotter