In case you’re not aware, multiple Lemmy instances suffered hacks recently that allowed the hackers to gain admin privileges and deface the instances and/or redirect users to other sites. Luckily, midwest.social was not a victim of this from what I can tell. To mitigate any more issues I have deleted the single custom emoji that had been uploaded and rotated the JWT which means you will have to log in again on all your devices.
Update: The devs have released 0.18.2 with a security fix for this and I’ve upgraded to it.
Thank you!
If you log in and it doesn’t show your username, you might have to clear your cookies for midwest.social and login again. I had to do that in Firefox anyway.
Thanks for this. I needed to do this on Jerboa too.
Thank you!
Thank you!
Thank you for your work and keeping us safe!
Thanks, I did a search and found more discussion:
- Tildes community here: https://tildes.net/~tech/17vw/lemmy_world_has_been_hacked_and_is_currently_down
- The issue on GitHub Here (linking directly to a proposed temporary fix): https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766
So basically, it sounds like the issue is insufficient input sanitation in the markdown editor allowing unexpected JS to execute on the site. Sounds like the front end can be compromised, but I don’t see anyone saying the back end is compromised, although an admin on lemmy.world was compromised.
Thanks for your hard work!
Thanks for providing this space for us!
Thank you for the update! 👍
Not sure if it’s related, but my midwest.social account had disappeared from wefwef and I had to log back in
Yeah, that’s because of the new token.
Oh. Wow, was that bit about the JWT always there? Did I just completely gloss over it?
so… interestingly, account settings seem to be somehow related to that, as all my settings got mangled.
also, holy cow the dark theme on this is terrible