this post was submitted on 10 Jul 2023
162 points (97.1% liked)

/0

1559 readers
3 users here now

Meta community. Discuss about this lemmy instance or lemmy in general.

Service Uptime view

founded 1 year ago
MODERATORS
162
Updated UI to 0.18.2-rc.1 (lemmy.dbzer0.com)
submitted 1 year ago* (last edited 1 year ago) by db0@lemmy.dbzer0.com to c/div0@lemmy.dbzer0.com
 

You probably seen around a dozen posts today about lemmy.world getting pwned, so I'm not going to rehash things.

Fortunately we have a lot of active devs at all times now, so the issue was quickly identified and fixed. This means a new UI release is out, which I've just deployed.

For those wondering, this instance wasn't affected. Even though we had custom emoji, it required a local account to exploit. I don't know if the attacker was discouraged by our registration application form or applied and got denied, but thankfully I didn't wake up to a clusterfuck :D

That is to say, your accounts in lemmy.dbzer0.com weren't at danger, even if the problem comments were federated over. This exploit targeted instance admins and aimed at some good ole defacing and chaos monkey shit. It's like we're back in the late 90s!

However you advised to keep proper hygiene in your lemmy experience, in this server as well. This particular exploit didn't steal passwords but it could have theoretically given the attacker access to your lemmy inbox. The lemmy PMs should not be considered secure in any way. Not only could an attacker compromise you and get access to your inbox, but a malicious admin with root access can just straight up read everything in the DB directly. So don't put anything important in there! That's why we have matrix!

Hopefully more thorough patches will be applied soon as well.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here