lemmy.world and lemmy.blahaj.zone got hacked, admins in sopuli.xyz should enforce 2fa for admins and possibly disable/ look into possible injections from the community sidebar

  • QuentinCallaghanMA
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    1 year ago

    I just enabled 2-factor authentication because of this. Script-kiddies are not gonna capture this instance!

    • ananas
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      It’s highly unlikely 2FA is enough to mitigate this kind of an attack. It’s a security vulnerability in lemmy itself, and they are stealing your access token instead of trying to log in as you.

      edit: People, please, no reason to downvote admin ACKs. Just means they’ve at least read the message, after that, it’s their instance and they’ll do as they see fit.

    • 018118055
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      If they’re stealing sessions that might not be enough. I saw some other mitigations discussed elsewhere.

      • fuser@quex.cc
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Create new accounts & make them instance admin instead (they have to make a local comment to be made admin). Then remove your “browsing” accounts from admin group until patched.

  • Nuuskis
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    So there’s no risks for regular users if they get hacked? Asking for learning purposes.

    • allywilson
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Depends on the exploit really, but if they have admin access they have access to the info in your profile, so probably know your email address. I don’t know enough about the backend infra to be sure, but I doubt Lemmy stores passwords in plain text in DBs, etc. and although they have admin access, they probably don’t have access to the DB (again, a bit unfamiliar with all possibilities, but typically the DB is on a separate container/host/service independant of the frontend).

      Does anyone have a link for details on the hack/exploit?