main

76 readers

2 users here now

Default community for midwest.social. Post questions about the instance or questions you want to ask other users here.

founded 3 years ago

MODERATORS

seahorse@midwest.social

Regarding the recent Lemmy hack *Update* (midwest.social)

submitted 1 year ago* (last edited 1 year ago) by seahorse@midwest.social to c/main@midwest.social

18 comments fedilink hide all child comments

In case you're not aware, multiple Lemmy instances suffered hacks recently that allowed the hackers to gain admin privileges and deface the instances and/or redirect users to other sites. Luckily, midwest.social was not a victim of this from what I can tell. To mitigate any more issues I have deleted the single custom emoji that had been uploaded and rotated the JWT which means you will have to log in again on all your devices.

Update: The devs have released 0.18.2 with a security fix for this and I've upgraded to it.

you are viewing a single comment's thread
view the rest of the comments

[–] trafguy@midwest.social 2 points 1 year ago* (last edited 1 year ago)

Thanks, I did a search and found more discussion:

Tildes community here: https://tildes.net/~tech/17vw/lemmy_world_has_been_hacked_and_is_currently_down
The issue on GitHub Here (linking directly to a proposed temporary fix): https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766

So basically, it sounds like the issue is insufficient input sanitation in the markdown editor allowing unexpected JS to execute on the site. Sounds like the front end can be compromised, but I don't see anyone saying the back end is compromised, although an admin on lemmy.world was compromised.