110

Regarding the recent Lemmy hack *Update* (midwest.social)

submitted 1 year ago* (last edited 1 year ago) by seahorse@midwest.social to c/main@midwest.social

16 comments fedilink hide all child comments

In case you're not aware, multiple Lemmy instances suffered hacks recently that allowed the hackers to gain admin privileges and deface the instances and/or redirect users to other sites. Luckily, midwest.social was not a victim of this from what I can tell. To mitigate any more issues I have deleted the single custom emoji that had been uploaded and rotated the JWT which means you will have to log in again on all your devices.

Update: The devs have released 0.18.2 with a security fix for this and I've upgraded to it.

top 14 comments

sorted by: hot top controversial new old

[-] chicory@midwest.social 9 points 1 year ago

Thank you!

[-] linuxdaemon@midwest.social 9 points 1 year ago* (last edited 1 year ago)

If you log in and it doesn't show your username, you might have to clear your cookies for midwest.social and login again. I had to do that in Firefox anyway.

[-] EssentialCoffee@midwest.social 4 points 1 year ago

Thanks for this. I needed to do this on Jerboa too.

[-] BlueLineBae@midwest.social 5 points 1 year ago

Thank you for your work and keeping us safe!

[-] rubbs@midwest.social 5 points 1 year ago

Thank you!

[-] Ascrod@midwest.social 5 points 1 year ago

Thank you!

[-] trafguy@midwest.social 4 points 1 year ago* (last edited 1 year ago)

Thanks, I did a search and found more discussion:

Tildes community here: https://tildes.net/~tech/17vw/lemmy_world_has_been_hacked_and_is_currently_down
The issue on GitHub Here (linking directly to a proposed temporary fix): https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766

So basically, it sounds like the issue is insufficient input sanitation in the markdown editor allowing unexpected JS to execute on the site. Sounds like the front end can be compromised, but I don't see anyone saying the back end is compromised, although an admin on lemmy.world was compromised.

[-] TheCraiggers@midwest.social 3 points 1 year ago

Thanks for your hard work!

[-] george@midwest.social 3 points 1 year ago

Thanks for providing this space for us!

[-] survivorseason44@midwest.social 3 points 1 year ago

Thank you for the update! 👍

[-] SaintWacko@midwest.social 2 points 1 year ago

Not sure if it's related, but my midwest.social account had disappeared from wefwef and I had to log back in

[-] seahorse@midwest.social 4 points 1 year ago

Yeah, that's because of the new token.

[-] SaintWacko@midwest.social 3 points 1 year ago

Oh. Wow, was that bit about the JWT always there? Did I just completely gloss over it?

[-] FormerGameDev@midwest.social 1 points 1 year ago

so... interestingly, account settings seem to be somehow related to that, as all my settings got mangled.

also, holy cow the dark theme on this is terrible

load more comments

this post was submitted on 10 Jul 2023

110 points (99.1% liked)

main

1335 readers

4 users here now

Default community for midwest.social. Post questions about the instance or questions you want to ask other users here.

founded 3 years ago

MODERATORS

seahorse@midwest.social