this post was submitted on 10 Jul 2023

181 points (99.5% liked)

Feddit UK

1364 readers

1 users here now

Community for the Feddit UK instance.
A place to log issues, and for the admins to communicate with everyone.

founded 2 years ago

MODERATORS

tom

GreatAlbatross

181

Lemmy security vulnerability update (feddit.uk)

submitted 2 years ago* (last edited 2 years ago) by tom to c/feddituk

21 comments fedilink hide all child comments

So last night a XSS scripting attack was found on all Lemmy instances. See the lemmy world update here https://feddit.uk/post/453040

What this means is that hackers could inject their own "script" when any user viewed a comment/post that the hackers made. The hackers would then grab your JWT token with the script so they could impersonate that user. (And perform any actions on behalf of the user)

Luckily, it looks like I haven't been compromised so the site config should all be the same

What has been done about this

I've removed any comments or posts which included the script see here https://github.com/LemmyNet/lemmy-ui/issues/1895

I would have removed all custom emojis as well but there was none in our DB, this may potentially mean that this site was not affected. Just in case, I've also rotated the JWT tokens so all tokens are now invalid. This means you will have to logout and log back into the instance

Shoutout to @clara@feddit.uk for messaging me about this and bringing it to my attention

all 22 comments

sorted by: hot top controversial new old

[–] Emperor 15 points 2 years ago

Thanks for doing this, sounds like people were on the ball and managed to sort it quickly.

I imagine the code will be probed quite a bit and this won't be the last time, the important thing is to move fast and sort it out.

[–] snake_case 9 points 2 years ago

Thanks for jumping on this so quickly! And all work you're doing to support this new platform!!

[–] JesusTheCarpenter 7 points 2 years ago

Thank you for your concern and the detailed update!

[–] RelentlessArts 7 points 2 years ago

Thanks Tom and Clara.

[–] Digestive_Biscuit 5 points 2 years ago* (last edited 2 years ago) (3 children)

Great job!

I don't know if it's related. Since today when I login to the Jerboa app then try to post or close/reopen the app my account for feddit.uk disappears from the app. I have to keep logging in.

[–] Cyber 2 points 2 years ago

Just to say, mine seems ok after closing and reopening the app... but I'll check again later.

[–] fakeman_pretendname 2 points 2 years ago (1 children)

You may need to clear the cache and data for Jerboa on your phone first, then log back in.

[–] Digestive_Biscuit 1 points 2 years ago

Thanks for the tip. I just tried that, didn't work. So I then I deleted all data and that did! It meant I had to login to all my accounts again but it seems to be working.

[–] Noodle_lover 1 points 2 years ago

Same issue for me. Also using Jerboa.

[–] addie 5 points 2 years ago

Cool! Thanks Tom, appreciate the update and the speedy response.

[–] cloudless 4 points 2 years ago (1 children)

I got a connection error trying to use your wefwef instance. Is this related to the update?

https://app.feddit.uk

[–] tom 3 points 2 years ago

Yeh fixed and fixed the issue where updating broke it so that shouldn't happen anymore

[–] PCurd 3 points 2 years ago (2 children)

Might not be related but after signing out I’ve not been able to sign back in to app.feddit.uk - using vger.app works fine though.

[–] Emperor 3 points 2 years ago (1 children)

I think Tom.said that it breaks every time there's an update.

[–] PCurd 2 points 2 years ago

I just saw his post about doing an update - it’s let me in now

[–] RelentlessArts 1 points 2 years ago

I've been able to sign into the generic wefwef webapp so unsure if there is a difference with the Feddit version.

[–] Fudgy 3 points 2 years ago

Thanks for keeping us all safe.. :)

[–] clara 1 points 2 years ago

glad you managed to protect our instance before anything bad happened, good job 🥳 i was worried i'd wake up to a rather spicy looking front page lol. thanks for the hard work!

[–] Flax_vert 1 points 2 years ago (1 children)

Ty for acting, however I cannot seem to log in on Jerboa. It shows me all of my subscribed feeds but then won't let me comment. Closing and reopening the app logs me out again

[–] fakeman_pretendname 1 points 2 years ago (1 children)

You may need to clear the cache and data for Jerboa on your phone first, then log back in. I was having the same issue, but that seemed to fix it for me.

[–] Flax_vert 1 points 2 years ago

Yep, fixed it for me also