main

1324 readers

16 users here now

Default community for midwest.social. Post questions about the instance or questions you want to ask other users here.

founded 2 years ago

MODERATORS

[email protected]

107

Regarding the recent Lemmy hack *Update* (midwest.social)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

16 comments fedilink hide all child comments

In case you're not aware, multiple Lemmy instances suffered hacks recently that allowed the hackers to gain admin privileges and deface the instances and/or redirect users to other sites. Luckily, midwest.social was not a victim of this from what I can tell. To mitigate any more issues I have deleted the single custom emoji that had been uploaded and rotated the JWT which means you will have to log in again on all your devices.

Update: The devs have released 0.18.2 with a security fix for this and I've upgraded to it.

top 14 comments

sorted by: hot top controversial new old

[–] [email protected] 9 points 1 year ago

Thank you!

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

If you log in and it doesn't show your username, you might have to clear your cookies for midwest.social and login again. I had to do that in Firefox anyway.

[–] [email protected] 4 points 1 year ago

Thanks for this. I needed to do this on Jerboa too.

[–] [email protected] 5 points 1 year ago

Thank you!

[–] [email protected] 5 points 1 year ago

Thank you for your work and keeping us safe!

[–] [email protected] 5 points 1 year ago

Thank you!

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Thanks, I did a search and found more discussion:

Tildes community here: https://tildes.net/~tech/17vw/lemmy_world_has_been_hacked_and_is_currently_down
The issue on GitHub Here (linking directly to a proposed temporary fix): https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766

So basically, it sounds like the issue is insufficient input sanitation in the markdown editor allowing unexpected JS to execute on the site. Sounds like the front end can be compromised, but I don't see anyone saying the back end is compromised, although an admin on lemmy.world was compromised.

[–] [email protected] 3 points 1 year ago

Thanks for your hard work!

[–] [email protected] 3 points 1 year ago

Thanks for providing this space for us!

[–] [email protected] 3 points 1 year ago

Thank you for the update! 👍

[–] [email protected] 2 points 1 year ago (1 children)

Not sure if it's related, but my midwest.social account had disappeared from wefwef and I had to log back in

[–] [email protected] 4 points 1 year ago (1 children)

Yeah, that's because of the new token.

[–] [email protected] 3 points 1 year ago

Oh. Wow, was that bit about the JWT always there? Did I just completely gloss over it?

[–] [email protected] 1 points 1 year ago

so... interestingly, account settings seem to be somehow related to that, as all my settings got mangled.

also, holy cow the dark theme on this is terrible

load more comments