During the last few days several Lemmy instances such as Lemmy.world and lemmy.blahaj.zone have come victims of hacking. This hacking happened by exploiting an XSS vulnerability enabled by custom emojis set by an instance. This way the admins’ cookies could be captured. A good recap of the incident has been made here.
This vulnerability doesn’t concern Sopuli, as we have not enabled our own emojis. Custom emojis set by an instance don’t federate with other instances. Even after this incident it may take longer time to enable those. In case you are wondering why you had to login again, I replaced the JWT secret used by the instance with a new one just in case.
Muutaman viime päivän aikana muutamat Lemmy-instanssit kuten Lemmy.world ja lemmy.blahaj.zone ovat joutuneet hakkeroinnin uhreiksi. Tämä hakkerointi tapahtui hyödyntämällä instanssin omien emojien mahdollistamaa XSS-haavoittuvuutta. Näin ylläpitäjien evästeet saatiin haltuun. Tapauksesta on tehty hyvä tiivistys täällä.
Tämä haavoittuvuus ei koske Sopulia, koska emme ole ottaneet käyttöön omia emojeja. Instanssin itse asettamat emojit eivät federoidu muiden instanssien kanssa. Tämän tapauksen jälkeenkin niiden käyttöönotossa saattaa kestää pidemmän aikaa. Jos ihmettelette, miksi joudutte kirjautumaan uudestaan, korvasin instanssin käyttämän JWT-käyttöoikeustietueen varuilta uudella.
I was wondering why I couldn’t upvote this post, saw it was saying I wasn’t logged in, and let me tell you the relogging/logging out process in liftoff could use some work, in the end I had to delete the account from the app and re-add it.
PS: are custom emoji really necessary anyway?
I’m not myself an emoji user really, but I thought that perhaps the users could suggest custom emojis for Sopuli. But because of this incident the idea will be postponed.
I liked emoji in slack in the work context as a way to convey quick acknowledgement/info but on certain social media they tend to get abused or just end up being an eyesore with little informational value. But that’s just my opinion, I can see how it would be cool to have the instance logo as one though.
Thunder also shit 10 bricks and it took forever. Ended up having to fully reinstall it :/ But we’re back!
Thanks for the update! I figured we didn’t have them enabled. I was a little confused why posts wouldn’t load but didn’t take long to realize I just had to remove and add back my account to Memmy and everything was back to normal! Makes sense now.
Awesome! Glad to know we’re doing okay so far. Should we be changing our passwords or taking other safety measures, or are we alright so far?
You should be okay. Of course changing passwords and enabling 2-factor authentication is good just in case.
Whenever I try posting to meta, the post button just shows the circle and the post never appears. So I’ll just have to post here:
Link: https://ibb.co/6szbZxj
Title: Subscribed hot feed is filled with years-old posts
This is happening slowly for a while already. There was a bug in Lemmy a while ago that caused old posts to be inserted into the database with almost maximum hot score. I think that was fixed, but it also seems like that the hot score is also just updated for rather recent posts. Hence, there must be a bunch of posts in the database with high hot score, but that are years old.
Sounds like a bug to me.
You are AWESOME mate! A million thanks for this instance and your work.
Kiitos. Tällaista selvennystä ehdinkin jo kaipailla kun aamulla näin Mastodonissa ja Lemmyssä muutamia viestejä aiheesta.
This post confirms that I am on the right instance. Thank you so much for your work! Kiitos paljon!
