main

1450 readers

1 users here now

Default community for midwest.social. Post questions about the instance or questions you want to ask other users here.

founded 4 years ago

MODERATORS

seahorse@midwest.social

111

Regarding the recent Lemmy hack *Update* (midwest.social)

submitted 2 years ago* (last edited 2 years ago) by seahorse@midwest.social to c/main@midwest.social

16 comments fedilink hide all child comments

In case you're not aware, multiple Lemmy instances suffered hacks recently that allowed the hackers to gain admin privileges and deface the instances and/or redirect users to other sites. Luckily, midwest.social was not a victim of this from what I can tell. To mitigate any more issues I have deleted the single custom emoji that had been uploaded and rotated the JWT which means you will have to log in again on all your devices.

Update: The devs have released 0.18.2 with a security fix for this and I've upgraded to it.

top 14 comments

sorted by: hot top controversial new old

[–] chicory@midwest.social 9 points 2 years ago

Thank you!

[–] linuxdaemon@midwest.social 9 points 2 years ago* (last edited 2 years ago) (1 children)

If you log in and it doesn't show your username, you might have to clear your cookies for midwest.social and login again. I had to do that in Firefox anyway.

[–] EssentialCoffee@midwest.social 4 points 2 years ago

Thanks for this. I needed to do this on Jerboa too.

[–] BlueLineBae@midwest.social 5 points 2 years ago

Thank you for your work and keeping us safe!

[–] rubbs@midwest.social 5 points 2 years ago

Thank you!

[–] Ascrod@midwest.social 5 points 2 years ago

Thank you!

[–] trafguy@midwest.social 4 points 2 years ago* (last edited 2 years ago)

Thanks, I did a search and found more discussion:

Tildes community here: https://tildes.net/~tech/17vw/lemmy_world_has_been_hacked_and_is_currently_down
The issue on GitHub Here (linking directly to a proposed temporary fix): https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766

So basically, it sounds like the issue is insufficient input sanitation in the markdown editor allowing unexpected JS to execute on the site. Sounds like the front end can be compromised, but I don't see anyone saying the back end is compromised, although an admin on lemmy.world was compromised.

[–] TheCraiggers@midwest.social 3 points 2 years ago

Thanks for your hard work!

[–] george@midwest.social 3 points 2 years ago

Thanks for providing this space for us!

[–] survivorseason44@midwest.social 3 points 2 years ago

Thank you for the update! 👍

[–] SaintWacko@midwest.social 2 points 2 years ago (1 children)

Not sure if it's related, but my midwest.social account had disappeared from wefwef and I had to log back in

[–] seahorse@midwest.social 4 points 2 years ago (1 children)

Yeah, that's because of the new token.

[–] SaintWacko@midwest.social 3 points 2 years ago

Oh. Wow, was that bit about the JWT always there? Did I just completely gloss over it?

[–] FormerGameDev@midwest.social 1 points 2 years ago

so... interestingly, account settings seem to be somehow related to that, as all my settings got mangled.

also, holy cow the dark theme on this is terrible

load more comments