this post was submitted on 10 Jul 2023
178 points (99.4% liked)

Feddit UK

1278 readers
17 users here now

Community for the Feddit UK instance.
A place to log issues, and for the admins to communicate with everyone.

founded 1 year ago
MODERATORS
[email protected]
[email protected]
178
Lemmy security vulnerability update (feddit.uk)
submitted 11 months ago* (last edited 11 months ago) by [email protected] to c/[email protected]
23 comments fedilink hide all child comments
 

So last night a XSS scripting attack was found on all Lemmy instances. See the lemmy world update here https://feddit.uk/post/453040

What this means is that hackers could inject their own "script" when any user viewed a comment/post that the hackers made. The hackers would then grab your JWT token with the script so they could impersonate that user. (And perform any actions on behalf of the user)

Luckily, it looks like I haven't been compromised so the site config should all be the same

What has been done about this

I've removed any comments or posts which included the script see here https://github.com/LemmyNet/lemmy-ui/issues/1895

I would have removed all custom emojis as well but there was none in our DB, this may potentially mean that this site was not affected. Just in case, I've also rotated the JWT tokens so all tokens are now invalid. This means you will have to logout and log back into the instance

Shoutout to @[email protected] for messaging me about this and bringing it to my attention

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 3 points 11 months ago (1 children)

I got a connection error trying to use your wefwef instance. Is this related to the update?

https://app.feddit.uk

[โ€“] [email protected] 3 points 11 months ago

Yeh fixed and fixed the issue where updating broke it so that shouldn't happen anymore