I just wanted to inform you all that some other instances got hacked during the night.

It appears to have something to do with a vulnerability regarding costume emojis, but I am not sure about the exact details as I am not that knowledge about coding.

I don’t know if this instances is affected by this, but even some that are not have taken preventive measurements and loged every one out to renew the login token. As the hack stole it, and used it to spread harmful and disturbing posts.

https://lemmy.world/post/1290412

  • Wintermute@lemmy.villa-straylight.social
    shield
    M
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 year ago

    As usual I spend too much time looking at Subscribed and not enough time looking at local. Sorry about that. Just wanted to confirm that we never had custom emojis (and likely never will) so we were not affected. As far as I can ascertain from the information available, since we weren’t vulnerable in the first place, there is no action needed at this time, which is also why I chose not to make a post about it myself.

  • And that’s the beauty of the fediverse. Lemmy.world might get hacked but the rest of the network is unaffected. Hopefully the exploit can be found and patched before any hackers notice our little instance.

  • foobar@lemmy.villa-straylight.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I don’t think this instance uses custom emoji and discussion around this Lemmy issue suggests that federated content containing the emojis would probably not be vulnerable to this XSS exploit.

    There is a release candidate out for lemmy-ui with a fix now. There may be more updates coming as it seems that some more security hardening may be need to be worked on.

    • CaptainAStrawberry@lemmy.villa-straylight.socialOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I honestly have no idea if we do or not. But I am on another instens that doesn’t have them, but decided to log everyone out and try to fix it anyway. Just to be on the safe side.

      So I figured better to let people on here know, so that the people in charge can decided if actions need to be taken or not, and so we aren’t caught with are pants down.

      • foobar@lemmy.villa-straylight.social
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        So I figured better to let people on here know, so that the people in charge can decided if actions need to be taken or not, and so we aren’t caught with are pants down.

        I agree. Thank you for sharing this news here.