Update: Federation and community creation are now back online!

Hey all, there’s a hack floating around which spreads via federated comments and steals users’ Lemmy auth tokens. Lemmy.world and other large instances have been hacked, so we’re taking some precautions until this is fixed:

  • We’re logging everyone out so that auth tokens reset
  • We’re closing off federation and community creation until this is patched

FYI, there are no indications that anyone on our instance has been hacked. We did find ten comments with the code injection attack, which we’ve now scrubbed. But it’s very unlikely that this will cause harm at this stage. There are several steps between this and hacking the entire instance. (Also FYI for nontechnical users, the hack affected Lemmy logins and nothing else. Web browsers run all websites in a kind of “jail”)

Sorry for the inconvenience – growing pains. Updates to come as we learn more!

  • @piece_of_cake
    link
    21 year ago

    Thank you. I was bewildered by the earlier announcement but you have laid it out a lot clearer here.

    • Annoyed_🦀 A
      link
      11 year ago

      I’m sorry if my statement cause you any confusion (シ_ _)シ

      • @zen
        link
        1
        edit-2
        1 year ago

        deleted by creator

        • @dcxOPMA
          link
          1
          edit-2
          1 year ago

          I’d prefer not to until we install a patch, since the exploit seems viral in nature (compromise one instance, use that to compromise the next, etc). So trusting one is like trusting all

          We’re testing that in dev so we might refederate later tonight. Or maybe tomorrow

          • @zen
            link
            1
            edit-2
            1 year ago

            deleted by creator

            • @dcxOPMA
              link
              1
              edit-2
              1 year ago

              Yep! It’s a really obvious one, just escape a bit of user / federation-facing input that wasn’t being escaped. 5-10 lines of code or something.

              • @zen
                link
                2
                edit-2
                1 year ago

                deleted by creator

              • @zen
                link
                2
                edit-2
                1 year ago

                deleted by creator

    • @dcxOPMA
      link
      11 year ago

      Sorry about that, it took us a while to figure out what was going on!

      At the end of the day we’re a community project, not a commercial one, so we don’t have full time sysadmin hands on deck 24/7 etc. (But ultimately I think this is totally fine for what we are! And ultimately non-commercial is more sustainable for online communities IMO)

  • @aerir
    link
    11 year ago

    No wonder I couldn’t see the posts from here today from my instance. Anyway RC2 is out, which should fix this XSS vulnerability

    • @zen
      link
      1
      edit-2
      1 year ago

      deleted by creator

      • @aerir
        link
        1
        edit-2
        1 year ago

        Wouldn’t be too fussed about it tbh, can never play it too safe when it comes to such incidents.

        edit-mmm still can’t see the posts here from my instance, sadge

        • @zen
          link
          3
          edit-2
          1 year ago

          deleted by creator

          • @dcxOPMA
            link
            11 year ago

            Thanks for the heads-up! We’ve given it a reboot and things seem to be working as intended now. In general I have a weekly crunch period which happens around Tue-Thu so I go into low availability, and catch up on the weekend – always welcome to try other admins! Naomi is on technical too :)

            Re: Defederation / allowlist: I’m quite sure a lot of instances defederated actually! I believe I read a note on this on a github discussion, or on a lemmy.ml post. IMO if there’s an active security hole which appears to be spreadable to other instances via federation feeds, there is no reasonable basis on which we can decide to trust external instances. Without a patch, they can become infected at any time. I could be missing an angle, but I still feel full defederation was the right call. Happy to hear the arguments against!

            • @zen
              link
              2
              edit-2
              1 year ago

              deleted by creator

  • @ruk_n_rul
    link
    11 year ago

    Ah, didn’t realize there’s a site sticky. Sorry about the other post. Everyone pening dealing with this ig. Sucks to not be on PC.

    Still not sure if comments loaded from other instances with custom emoji (the vector of this exploit) can trigger the exploit here, but since we defederated there shouldn’t be a way for it to get in, I hope.

    • @zen
      link
      3
      edit-2
      1 year ago

      deleted by creator

      • @ruk_n_rul
        link
        01 year ago

        Thanks for the info. Hope we’re safe for now. Fingers crossed, simpang malaikat 44, all that stuff.

        We’re seeing the pros and cons of federation in action here. A few sites went down but the fediverse survives.

        Unfortunately it also shows the fallacy of one account fits all, as the account could be taken down along with the instance server or walled off when the instance defederates. You really need multiple accounts to access the various pockets of the fediverse. I have 3 now, and one’s on lemmy.world 😔

    • @dcxOPMA
      link
      11 year ago

      No problemo. Seriously, thanks for the concern! And yeah we think we’re as safe as we can make us for the time being.