• maegul (he/they)@lemmy.ml
    1·
    1 year ago

    Hmmm. Don’t know what the fall out of this will be. But a lot of lemmy is on that server. Unfortunately. Maybe we’ll learn a lesson in the value of decentralisation.

    Ruud also runs mastodon.world, FYI.

    • Lemon@lemmy.blahaj.zoneEnglish
      1·
      1 year ago

      This is why it makes sense for communities to not all pile into one instance, it gives one instance admin too much power and responsibility over everything.

    • Stovetop@lemmy.ml
      1·
      1 year ago

      It looks like they’re in the process. The compromised account was demoted from admin and I see posts are being removed. There will definitely need to be some sort of investigation into how this happened, though.

  • upt@lemmy.ml
    0·
    1 year ago

    Being a part of Lemmy in these early days has been kind of interesting, seeing all of the bugs and bits that will be ironed out over time. One day when Lemmy is as old as Reddit it will all be folklore. Maybe.

  • Max-P@lemmy.max-p.meEnglish
    0·
    1 year ago

    GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

    If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.

    If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

    • Kayn@dormi.zoneEnglish
      0·
      1 year ago

      But won’t custom emojis from remote instances still trigger the exploit?

      • ruk_n_rul@monyet.ccEnglish
        01·
        1 year ago

        Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.

  • Candelestine@lemmy.caEnglish
    0·
    1 year ago

    Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they’re mainly just trying to make stuff offensive and redirect people to lemonparty.

    So, y’know, old school.

    I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.

    • hawkwind@lemmy.managementEnglish
      1·
      1 year ago

      All the bean memes are in danger! On a serious note, old-skool or not, it’s a huge loss of trust in something the community-at-large is excited to see replace reddit.

        • hawkwind@lemmy.managementEnglish
          1·
          1 year ago

          True that. If you look at posts on lemmy.world though, it’s clear their users (which is like 50% of Lemmy) have zero clue they’re defederated ATM, and probably many that don’t know it’s compromised.

          • Hexadecimalkink@lemmy.mlEnglish
            02·
            1 year ago

            Federation and decentralization are not Web 2.0 concepts. Just like people who first learned what a tweet and a follow were and all the other concepts of those social media platforms, they’ll learn the new paradigm. Or they won’t and we’ll stick to 2.0 platforms.

      • Candelestine@lemmy.caEnglish
        1·
        1 year ago

        Par for the course. This system will never be immune to things like that. That’s part of what happens when you decentralize your power. Instead of a single target that can be made highly secure, you have a distributed array of targets.

        People should certainly be engaging on here with full awareness of the reality of the Fediverse, not expecting reddit 2.0. We never will be able to offer exactly what they did. We’ll be naturally worse in some areas and naturally better in others.

        • Philolurker@lemm.eeEnglish
          2·
          1 year ago

          This is why I’m glad I made redundant accounts on multiple instances. When there are problems on lemmy.world, I can just hop on over to another. That’s never been an option with Reddit.

          Now if there was only a way to export or sync user settings like subscriptions, it would be perfect.

      • Menachem@midwest.socialEnglish
        0·
        1 year ago

        idk, im surprised it took this long. there’s a huge variety of admin teams with varying degrees of security awareness and it’s been over a month since the first big influx of users started. it’ll happen again too and probably not before too long

        • Lenins2ndCat@lemmy.mlEnglish
          1·
          1 year ago

          In the 3 years Hexbear has been around it has been attacked A LOT because obviously far right chuds have an interest in messing with leftists but has not to my knowledge had an admin breach. At one point image embeds were completely disabled because they were handing over data they shouldn’t though and risked exposing people to doxxing.

    • figaro@lemdro.id
      1·
      1 year ago

      I was once doing work at a company that provided tech support and security for local businesses. There were a couple big instances of the companies being hacked with ransomware etc. On every occasion, we of course ask, “when was your last backup done?” And without fail, every one of them always responded, “backup?”

  • delendum@lemdit.comEnglish
    0·
    1 year ago

    lemmy.world was briefly back to normal and there had been a post saying that everything was fine now - it’s not.

    The site has just started doing the same thing again.

    Please do not try using lemmy.world for the time being.

    • The Cuuuuube@beehaw.orgEnglish
      0·
      1 year ago

      the post saying everything was fine now was coming from the same account that was originally compromised

      • klyde@lemmy.mlEnglish
        0·
        1 year ago

        Lol so how do you expect to be notified then? You don’t think they can get their account back? They’ll get it back eventually.

        • The Cuuuuube@beehaw.orgEnglish
          1·
          1 year ago

          They have multiple admins. The expectation would be for one of the non compromised admins to make the announcement. It’s a trusted channels thing