Hi everyone.
Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.
The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,
Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.
If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.
Sorry that this happened, if you have any questions please contact @ada@lemmy.blahaj.zone or myself.
That’s gotta be what, 4 hours from discovery to patch?
Impressive work from everyone nya :)
I love FOSS
glad things are back to normal, hope yall harden security. Thanks for your work
Well, I don’t technically work on the lemmy codebase (I have my hands full with adminning 3 instances and working on Hajkey), but yes I agree it’d be nice if the lemmy dev team could spend some time reviewing and improving the security, in amongst all the other stuff they have to do since Reddit imploded.
Eep. I’m glad that everything is back to normal sorry you had to deal with it. I was away and didn’t get to use Lemmy all weekend so basically I feel like the guy in the Community gif that I always see online :P
Damn that was quick! I didn’t even notice LOL if it wasn’t for this post I would have thought that my account got logged off just for a bug :p
Thank you and the lemmy devs for being so quick!!
out of curiosity, what was the youtube video?
By the way, I don’t know if this is related but I have an issue now after this
I can log in using the web app but in Jerboa when I log in I can see Im logged in but I when I try to do something like commenting it tells me I’m not, then after reopening the app I’m fully logged off again, has this happened to someone else?
you gotta sign out the master key used to authenticate your session was cycled, so you need to get a new one, jerboa gets confused cuz it already has one but is no longer valid
Ohhh it works now! Since it said I wasn’t logged in I thought that meant I wasn’t logged in but apparently not :p
The master encryption key was rotated, meaning your current login creds/tokens are invalid and you have to login again.
Thanks for the reactivity and the transparency
had to remove cookies from lemmy.blahaj.zonw for my login to work
Fittingly, given that the hack seemed to be through the custom emoji interface (?), this thread has some wonderful emoji action!!
Yea how do I know you’re not the hacker that’s still in control? 🤔
How do you know I haven’t always been the hacker who’s in control? :D
Many thanks for sharing and quick measures taken 👍 I tried to change my password now, but it doesn’t safe the new one in my personal settings. Is there anything to consider additionally?
Not sure.
Some people have had to clear cookies to get things working again properly.
Are you getting an error message in the javascript console?
Hi Kaity, thank you for answering so quickly and sorry took a while for me. I am using my iPad and it’s Safari. I noticed that everything seems to be a bit delayed, slow. I have again tried to set a new password and I tried to log out afterwards but the log-out somehow doesn’t work. I suppose there is a time limit to stay logged ans I will wait for that to try again the old and new password (today my Safari safed one worked thankfully)
It seems like it is an identified issue with token invalidation in lemmy and they will be fixing (or have already fixed?) it in a future upgrade.
I’ll keep an eye out for it and try to get it in as soon as possible. In the meantime, clearing site cookies while tricky is the only real option.
Thank you very much 👍🏻
Interesting, took me a little… but after 3 login attempts I was able to login
I haven’t logged on to instances for a week and everything is already on fire.
Looks like I missed all the fun.
i don’t use the main blahaj lemmy site so i probably would’ve not seen it anyway
Kept on having issues today but was finally able to log in. Glad to be back :)
I can no longer access my blahaj account, which sucks because ive done alot on it. Im not sure if its because Blahaj is down or my account is gone, I just cant get into my account anymore.
Yeah I cant even access the site anymore, even if I reset cookies.
I’m facing the same issue. I tried disabling JS by setting Blåhaj Lemmy to “untrusted” on NoScript, and this seemed to work the first time I tried it, but not any subsequent times.
The message I see is, “There was an error on the server. Try refreshing your browser. If that doesn’t work, come back at a later time. If the problem persists, you can seek help in the Lemmy support community or Lemmy Matrix room.”
Opening up the split console in Firefox Web Developer Tools, I see “500 Internal Server Error”. Comparing and contrasting with lemmy.world, I don’t see any other meaningful difference. I’ve also tried visiting Blåhaj Lemmy on Google Chrome on my Android phone, where I don’t have any extensions, but that gave me the same error message.
Edit: There’s a new message now, saying that the site is down for maintenance because of “something hinky going on” that’s causing a “relative URL without a base” error.
@Erikatharsis@kbin.social @ReepusVanguard@lemmy.dbzer0.com
This has been fixed now! There was an error importing an emoji that took the site down right after we went to bed.
Hooray! Thank you for your service.
That’s always how it goes right? Thanks for your hard work :)
@supakaity that’s a 500 … Other source?
Yeah thanks for being on top of things! That was a really quick fix by everybody. Glad to have this place back!