Wondering if fmhy was hacked like .world Asking this to know if I should change my password.

18 points
*

I don’t believe FMHY was affected. For me, the timeline went:

  1. I found out about the hack pretty much immediately when it happened
  2. I immediately hopped into the Lemmy dev matrix channels to get an idea of what was going on
  3. I crossposted the news of the hack in !technology@lemmy.fmhy.ml about 20 or 30 minutes after it happened
  4. In the dev channels, right around when I made the post, a couple of users were able to pin down the exact vulnerability and which server the user that perpetrated it originated from. A user (that I won’t name) sent test instructions (that were quickly deleted and I will not share on the off chance that there are servers that don’t know about the vuln and haven’t patched or mitigated) that verified the vulnerability.
  5. A pull request for the fix was submitted to github (and, from a cursory look at the PR, it closes the hole that was used for the hack solidly) while, simultaneously, a couple of other devs stated that 0.18.1 is not affected by the vulnerability (which I have not taken the time to verify since they’ve already PRed a patch)

For those reasons, I don’t think FMHY was ever at risk because of how quickly it was updated to 0.18.1 coupled with the fact that I don’t think custom emojis are a thing on here. It’s very possible that I am wrong about that because I’m an idiot but I don’t believe there’s anything to worry about.

permalink
report
reply
5 points

Thanks for the detail answer

permalink
report
parent
reply
6 points

If I’m going to have an actively unhinged sleep schedule, I figure I might as well put it to good use

permalink
report
parent
reply
2 points

Sending you the sandman (hope that’s proper wording) right away. Happy sleeping ;)

permalink
report
parent
reply
4 points

Fix should come soon, beehaw is already back: https://beehaw.org/post/1039540

permalink
report
reply
5 points
*

Also, there’s seems to be no official word from the admins yet.

Edit: official word here!

permalink
report
reply
5 points

On the Divolt, Zinklog said he should’ve made a post before they pulled the plug. But the vulnerability seemed scary. Which I can’t blame em for. No other official word to my knowledge though

permalink
report
parent
reply
3 points

Oh yes I actually agree with that decision. Better safe than sorry.

But I was worried about the information blackout. I feared the admins got hacked and locked out of the server.

I’m not familiar with Divolt. Can you browse without being registered? If not, maybe we need a more public backup channel? Dunno, maybe on Mastodon or on another Lemmy instance?

Today I even checked the fmhy sub on Reddit but there was nothing there.

permalink
report
parent
reply
1 point

Sorry. Was finishing my shift at work

I don’t believe so. Divolt is a self hosted instance of Revolt that FMHY uses. And revolt is basically a Open source discord alternative. I started my account there to see if there was any news about it.Though yeah, Mastodon or something might not be a bad idea, but obviously it’s up to the admins on their plans

permalink
report
parent
reply
2 points

Mastodon place for announcement would probably be ideal than another lemmy instance in case a vulnerability that affects them all causes issues.

permalink
report
parent
reply
15 points

It shouldn’t be affected because the issue came down to running custom emojis, which to my knowledge, fmhy does not use.

It never hurts to log out, change password, and back in tho

permalink
report
reply
7 points

Thanks for your reply

permalink
report
parent
reply
4 points

Anytime! I went to school for cybersecurity so any other questions feel free to let me know. Granted I’m still very much of an amateur/apprentice.

permalink
report
parent
reply

FREEMEDIAHECKYEAH

!freemediaheckyeah@lemmy.fmhy.ml

Create post

🍿 📺 🎵 🎮 📗 📱


🏴‍☠️ Wiki / 💬 Chat


Rules

1. Please be kind and helpful to one another.

2. No racism, sexism, ableism, homophobia, transphobia, spam.

3. Linking to piracy sites is fine, but please keep links directly to pirated content in DMs.

Community stats

  • 1

    Monthly active users

  • 147

    Posts

  • 2.3K

    Comments