You probably seen around a dozen posts today about lemmy.world getting pwned, so I’m not going to rehash things.

Fortunately we have a lot of active devs at all times now, so the issue was quickly identified and fixed. This means a new UI release is out, which I’ve just deployed.

For those wondering, this instance wasn’t affected. Even though we had custom emoji, it required a local account to exploit. I don’t know if the attacker was discouraged by our registration application form or applied and got denied, but thankfully I didn’t wake up to a clusterfuck :D

That is to say, your accounts in lemmy.dbzer0.com weren’t at danger, even if the problem comments were federated over. This exploit targeted instance admins and aimed at some good ole defacing and chaos monkey shit. It’s like we’re back in the late 90s!

However you advised to keep proper hygiene in your lemmy experience, in this server as well. This particular exploit didn’t steal passwords but it could have theoretically given the attacker access to your lemmy inbox. The lemmy PMs should not be considered secure in any way. Not only could an attacker compromise you and get access to your inbox, but a malicious admin with root access can just straight up read everything in the DB directly. So don’t put anything important in there! That’s why we have matrix!

Hopefully more thorough patches will be applied soon as well.

  • Rentlar
    link
    fedilink
    English
    arrow-up
    20
    ·
    edit-2
    1 year ago

    I say that the short window between exploit then bug discovery to the patch that fixes it, is a big W for FOSS.

  • mikezila@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    1 year ago

    While I hate that this happened, it’s kind of…fun?..to be in a more wild-west corner of the internet again where this kind of shit sometimes happens. I dunno man the lack of stability is refreshing. Less corpo and more chaotic energy. Real wasteland shit.