overview for CMahaff

Lemmy.world down, probably following the upgrade. A reminder to move to smaller instances for a better experience in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 10 points 1 year ago* (last edited 1 year ago) (5 children)

LASIM author here, ironically on my own alt: Just an FYI that support for Lemmy 0.18.3 is not yet out, but keep an eye out for it soon (I have it working on a branch but I need to test it more before release).

This is the first breaking API change since it's creation, so here are the limitations:

Old version (0.1.2) will only support API 0.18.1 and 0.18.2
New version (0.2.0) will only support 0.18.3 (and above until there are more breaking API changes)
Profiles downloaded with 0.1.2 (and below) will automatically be converted to work with 0.2.0.

So that all means:

You can use the old LASIM to migrate between 0.18.2 Lemmy instances
You can use the new LASIM to migrate between 0.18.3 Lemmy instances
You can use the old LASIM to download from an 0.18.2 instance then use the new LASIM to upload to a 0.18.3 instance
You cannot use the new LASIN to download from a 0.18.3 instance and then the old LASIM to upload to a 0.18.2 instance (unless you are comfortable doing some manual work editing the JSON file so "old LASIM" understands it).

This will be true of every release with breaking API changes.

EDIT: PR is out. Once it builds, I'll publish a new release! https://github.com/CMahaff/lasim/pull/21

EDIT 2: Release is published! https://github.com/CMahaff/lasim/releases/tag/v0.2.0

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 8 points 1 year ago* (last edited 1 year ago)

Inject exploit into a comment using custom emoji.
Front-end parses the emoji incorrectly allowing JavaScript to be injected.
JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.

To answer your other questions:

IMO there probably should be better parsing to remove this stuff from the back-end, so I'm not sure the front-end solution is the complete solution, but it should get things largely under control.
Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
Probably needs to be a mass reset of ALL passwords since lots of people's tokens were sent during the attack, so their accounts could be compromised.

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 3 points 1 year ago

I don't think so, but I'd love to be proven wrong!

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 4 points 1 year ago* (last edited 1 year ago) (1 children)

Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.

I hope the admin team is aware of this - not sure how one would even contact them.

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 6 points 1 year ago (3 children)

The issue does say changing the password should kick the user out, but yeah, still not good.

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 11 points 1 year ago (6 children)

Oh man, that would be brutal if they are resetting the password and it isn't kicking the attacker out...

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 18 points 1 year ago (2 children)

Yeah, I've been scared to turn on 2FA with all the reports of people being locked out:

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 13 points 1 year ago (4 children)

There's actually another thread on exactly this topic: https://lemmy.ml/post/1875767

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 41 points 1 year ago (14 children)

I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 35 points 1 year ago* (last edited 1 year ago) (3 children)

My concern is that configuring the site to automatically redirect users sounds like they have pretty large control over the site - the kind of control that I would assume is usually limited to users with root access on the server.

Obviously hope nothing of value is lost and that there is a proper off-site backup of the content.

Edit: See Max-P's comment, it looks like the site redirection was accomplished in a way that IMO suggests they do NOT have full control over the site. We'll obviously have to wait for the full debrief from the admins.

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) in c/fediverse@lemmy.ml

[–] CMahaff@lemmy.ml 26 points 1 year ago

4AM in the Netherlands where the instance owner Ruud lives... hopefully his assistant admins can clean it up, but it might be a bit before he even knows anything is wrong.

LASIM - A little tool for migrating Lemmy settings / subscriptions / blocks between accounts in c/lemmy@lemmy.ml

[–] CMahaff@lemmy.ml 3 points 1 year ago* (last edited 1 year ago)

Well I guess I'll have to respond with my .ml account instead of my .world account.

Tried to delete this post and post it again, which is what I see from .world, but on .ml both new posts came across, but no deletes did.

So now I can't access this specific post from .world.

Federation bugs are a trip!