I just wanted to inform you all that some other instances got hacked during the night.
It appears to have something to do with a vulnerability regarding costume emojis, but I am not sure about the exact details as I am not that knowledge about coding.
I don’t know if this instances is affected by this, but even some that are not have taken preventive measurements and loged every one out to renew the login token. As the hack stole it, and used it to spread harmful and disturbing posts.
As usual I spend too much time looking at Subscribed and not enough time looking at local. Sorry about that. Just wanted to confirm that we never had custom emojis (and likely never will) so we were not affected. As far as I can ascertain from the information available, since we weren’t vulnerable in the first place, there is no action needed at this time, which is also why I chose not to make a post about it myself.
Sounds good, you are the on who knows how to run this place.
And that’s the beauty of the fediverse. Lemmy.world might get hacked but the rest of the network is unaffected. Hopefully the exploit can be found and patched before any hackers notice our little instance.
While yes, a lot more places then world got hit. So I figured better safe then sorry.
Oh I totally agree and I’m glad you posted here. It’s just nice that having one (or a few) servers compromised doesn’t mean the entire network was compromised.
I don’t think this instance uses custom emoji and discussion around this Lemmy issue suggests that federated content containing the emojis would probably not be vulnerable to this XSS exploit.
There is a release candidate out for
lemmy-uiwith a fix now. There may be more updates coming as it seems that some more security hardening may be need to be worked on.I honestly have no idea if we do or not. But I am on another instens that doesn’t have them, but decided to log everyone out and try to fix it anyway. Just to be on the safe side.
So I figured better to let people on here know, so that the people in charge can decided if actions need to be taken or not, and so we aren’t caught with are pants down.
So I figured better to let people on here know, so that the people in charge can decided if actions need to be taken or not, and so we aren’t caught with are pants down.
I agree. Thank you for sharing this news here.
Glad we’re decentralized and Anonymous doesn’t have my incredibly detailed and highly important Lemmy password >.>
From my current understanding they couldn’t get your password, but they could post from your account.
deleted by creator
