Hi everyone.
Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.
The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,
Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret ket, so everyone will have to login to the site again as your existing credentials will no longer be valid.
Sorry that this happened, if you have any questions please contact @ada@lemmy.blahaj.zone or myself.
That’s gotta be what, 4 hours from discovery to patch?
Impressive work from everyone nya :)
I love FOSS
Yeah thanks for being on top of things! That was a really quick fix by everybody. Glad to have this place back!
Damn that was quick! I didn’t even notice LOL if it wasn’t for this post I would have thought that my account got logged off just for a bug :p
Thank you and the lemmy devs for being so quick!!
out of curiosity, what was the youtube video?
By the way, I don’t know if this is related but I have an issue now after this
I can log in using the web app but in Jerboa when I log in I can see Im logged in but I when I try to do something like commenting it tells me I’m not, then after reopening the app I’m fully logged off again, has this happened to someone else?
you gotta sign out the master key used to authenticate your session was cycled, so you need to get a new one, jerboa gets confused cuz it already has one but is no longer valid
The master encryption key was rotated, meaning your current login creds/tokens are invalid and you have to login again.
Thanks for everything 💜
Yea how do I know you’re not the hacker that’s still in control? 🤔
How do you know I haven’t always been the hacker who’s in control? :D
😲 Oh no… Lol, that’d be funny tho
had to remove cookies from lemmy.blahaj.zonw for my login to work
I just had issues logging in, so I’m gonna make a comment in case anyone else is having issues.
TL;DR: Clear your cookies.
I couldn’t log in from the main page, I would type everything correctly and it would give me a “logged in” popup in the corner, but I wouldn’t actually be logged in. For some reason though I ended up being able to log in from my profile page though, but I wouldn’t stay logged in unless I opened up my profile page and navigated from there. I was also able to log in from the main page while in a private window though, (incognito for chrome users) so I figured clearing my cookies would fix the issue. That’s what I ended up doing, and I was able to log in from the main page and this time I stayed logged in. Sorry for the ramble, but I just wanted to put down everything that happened since it’s clearly a bug with the site, and if someone were to fix this they’re gonna want as much details as can be provided.
Test
Thanks for handling this super quickly! Y’all are the best!
I haven’t logged on to instances for a week and everything is already on fire.
Looks like I missed all the fun.
Removed by mod
glad things are back to normal, hope yall harden security. Thanks for your work
Well, I don’t technically work on the lemmy codebase (I have my hands full with adminning 3 instances and working on Hajkey), but yes I agree it’d be nice if the lemmy dev team could spend some time reviewing and improving the security, in amongst all the other stuff they have to do since Reddit imploded.
Many thanks for sharing and quick measures taken 👍 I tried to change my password now, but it doesn’t safe the new one in my personal settings. Is there anything to consider additionally?
Not sure.
Some people have had to clear cookies to get things working again properly.
Are you getting an error message in the javascript console?
Hi Kaity, thank you for answering so quickly and sorry took a while for me. I am using my iPad and it’s Safari. I noticed that everything seems to be a bit delayed, slow. I have again tried to set a new password and I tried to log out afterwards but the log-out somehow doesn’t work. I suppose there is a time limit to stay logged ans I will wait for that to try again the old and new password (today my Safari safed one worked thankfully)
It seems like it is an identified issue with token invalidation in lemmy and they will be fixing (or have already fixed?) it in a future upgrade.
I’ll keep an eye out for it and try to get it in as soon as possible. In the meantime, clearing site cookies while tricky is the only real option.
Thank you very much 👍🏻