Blåhaj Lemmy hacked - eviltoast

Hi everyone.

Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.

The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,

Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.

If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.

Sorry that this happened, if you have any questions please contact @ada@lemmy.blahaj.zone or myself.

blobcat, heart

  • Sunny@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Many thanks for sharing and quick measures taken 👍 I tried to change my password now, but it doesn’t safe the new one in my personal settings. Is there anything to consider additionally?

    • Kaity A@lemmy.blahaj.zoneOPM
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Not sure.

      Some people have had to clear cookies to get things working again properly.

      Are you getting an error message in the javascript console?

      • Sunny@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Hi Kaity, thank you for answering so quickly and sorry took a while for me. I am using my iPad and it’s Safari. I noticed that everything seems to be a bit delayed, slow. I have again tried to set a new password and I tried to log out afterwards but the log-out somehow doesn’t work. I suppose there is a time limit to stay logged ans I will wait for that to try again the old and new password (today my Safari safed one worked thankfully)

        • Kaity A@lemmy.blahaj.zoneOPM
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It seems like it is an identified issue with token invalidation in lemmy and they will be fixing (or have already fixed?) it in a future upgrade.

          I’ll keep an eye out for it and try to get it in as soon as possible. In the meantime, clearing site cookies while tricky is the only real option.