So last night a XSS scripting attack was found on all Lemmy instances. See the lemmy world update here https://feddit.uk/post/453040

What this means is that hackers could inject their own “script” when any user viewed a comment/post that the hackers made. The hackers would then grab your JWT token with the script so they could impersonate that user. (And perform any actions on behalf of the user)

Luckily, it looks like I haven’t been compromised so the site config should all be the same

What has been done about this

I’ve removed any comments or posts which included the script see here https://github.com/LemmyNet/lemmy-ui/issues/1895

I would have removed all custom emojis as well but there was none in our DB, this may potentially mean that this site was not affected. Just in case, I’ve also rotated the JWT tokens so all tokens are now invalid. This means you will have to logout and log back into the instance

Shoutout to @clara@feddit.uk for messaging me about this and bringing it to my attention

  • LordWarfire
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Might not be related but after signing out I’ve not been able to sign back in to app.feddit.uk - using vger.app works fine though.

      • LordWarfire
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I just saw his post about doing an update - it’s let me in now

    • RelentlessArts
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’ve been able to sign into the generic wefwef webapp so unsure if there is a difference with the Feddit version.