482

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down)

posted 1 year ago

*

by

in

fediverse@lemmy.ml

242 commentshide report

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

Sort:

Hot Top Controversial New Old

You are viewing a single thread.

View all comments View context

[ - ]

RoundSparrow@lemmy.ml

18 points

1 year ago

The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.

report

reply

[ - ]

CMahaff@lemmy.ml

11 points

1 year ago

Oh man, that would be brutal if they are resetting the password and it isn’t kicking the attacker out…

report

reply

[ - ]

Max-P@lemmy.max-p.me

12 points

1 year ago

That’s probably what happened here because they did revoke the admin’s access, but it continued.

report

reply

[ - ]

RoundSparrow@lemmy.ml

8 points

1 year ago

JWT issue opened 4 days ago: https://github.com/LemmyNet/lemmy/issues/3499

report

reply

[ - ]

CMahaff@lemmy.ml

6 points

1 year ago

The issue does say changing the password should kick the user out, but yeah, still not good.

report

reply

[ - ]

RoundSparrow@lemmy.ml

7 points

1 year ago

This issue from 2 weeks ago was the one I was thinking of, it’s worse: https://github.com/LemmyNet/lemmy/issues/3364

report

reply

[ - ]

CMahaff@lemmy.ml

4 points

1 year ago

*

Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.

I hope the admin team is aware of this - not sure how one would even contact them.

report

reply

[ - ]

maegul (he/they)@lemmy.ml

3 points

1 year ago

Well, provided top level admin access to the server is still protected, a manual DB change ought to be rather doable right?

As for contacting the admins … the lead admin, ruud, is on mastodon and also admins one of the largest mastodon instances: mastodon.world. They are Dutch however, which means they’re likely asleep right now.

All of which raises the broader point about what good admin practice is. This is something the fediverse needs to get better at. In this case, as a bare minimum, every admin should be reachable at a location outside of their own instance.

Ideally, IMO, there’d be an “admin backline protocol” of some sort, where it’s super easy or even automatic that every admin of every instance can have an account on any instance they federate with for the purposes of communication etc.

report

reply

Show more comments

Show more comments

Show more comments

Fediverse

!fediverse@lemmy.ml

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of “federation” and “universe”.

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

Community stats

440
Monthly active users
966
Posts
14K
Comments

Community moderators