Hi everyone.
Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.
The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,
Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.
If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.
Sorry that this happened, if you have any questions please contact @[email protected] or myself.
That’s gotta be what, 4 hours from discovery to patch?
Impressive work from everyone nya :)
I love FOSS
Damn that was quick! I didn’t even notice LOL if it wasn’t for this post I would have thought that my account got logged off just for a bug :p
Thank you and the lemmy devs for being so quick!!
out of curiosity, what was the youtube video?
By the way, I don’t know if this is related but I have an issue now after this
I can log in using the web app but in Jerboa when I log in I can see Im logged in but I when I try to do something like commenting it tells me I’m not, then after reopening the app I’m fully logged off again, has this happened to someone else?
you gotta sign out the master key used to authenticate your session was cycled, so you need to get a new one, jerboa gets confused cuz it already has one but is no longer valid
Ohhh it works now! Since it said I wasn’t logged in I thought that meant I wasn’t logged in but apparently not :p
The master encryption key was rotated, meaning your current login creds/tokens are invalid and you have to login again.
Yeah thanks for being on top of things! That was a really quick fix by everybody. Glad to have this place back!
Yea how do I know you’re not the hacker that’s still in control? 🤔
How do you know I haven’t always bee the hacker in control? :D
😲 Oh no… Lol, that’d be funny tho
had to remove cookies from lemmy.blahaj.zonw for my login to work
I can no longer access my blahaj account, which sucks because ive done alot on it. Im not sure if its because Blahaj is down or my account is gone, I just cant get into my account anymore.
Yeah I cant even access the site anymore, even if I reset cookies.
I’m having the same issue. I can’t access the website at all and I definitely cannot login on my app (Connect). I’ve cleared my cookies several times and tried to access the page to no avail.
I’m facing the same issue. I tried disabling JS by setting Blåhaj Lemmy to “untrusted” on NoScript, and this seemed to work the first time I tried it, but not any subsequent times.
The message I see is, “There was an error on the server. Try refreshing your browser. If that doesn’t work, come back at a later time. If the problem persists, you can seek help in the Lemmy support community or Lemmy Matrix room.”
Opening up the split console in Firefox Web Developer Tools, I see “500 Internal Server Error”. Comparing and contrasting with lemmy.world, I don’t see any other meaningful difference. I’ve also tried visiting Blåhaj Lemmy on Google Chrome on my Android phone, where I don’t have any extensions, but that gave me the same error message.
@[email protected] @[email protected]
This has been fixed now! There was an error importing an emoji that took the site down right after we went to bed.
Hooray! Thank you for your service.
That’s always how it goes right? Thanks for your hard work :)
All i get is an unthemed lemmy error page.
Thanks for everything 💜
Fittingly, given that the hack seemed to be through the custom emoji interface (?), this thread has some wonderful emoji action!!
Thanks for the reactivity and the transparency
Kept on having issues today but was finally able to log in. Glad to be back :)
What sort of YouTube video replaced the home page? I’m assuming it was some sort of shock/racist content.
Not sure. I didn’t load it.
Fairly harmless choice by the hacker, though could be a bit of a jumpscare if you’ve allowed autoplay for blåhaj zone
YouTube doesn’t allow you to embed music videos, so it wouldn’t play unless you clicked on it lmao.
Some music video titled “rap god” or something.
I just had issues logging in, so I’m gonna make a comment in case anyone else is having issues.
TL;DR: Clear your cookies.
I couldn’t log in from the main page, I would type everything correctly and it would give me a “logged in” popup in the corner, but I wouldn’t actually be logged in. For some reason though I ended up being able to log in from my profile page though, but I wouldn’t stay logged in unless I opened up my profile page and navigated from there. I was also able to log in from the main page while in a private window though, (incognito for chrome users) so I figured clearing my cookies would fix the issue. That’s what I ended up doing, and I was able to log in from the main page and this time I stayed logged in. Sorry for the ramble, but I just wanted to put down everything that happened since it’s clearly a bug with the site, and if someone were to fix this they’re gonna want as much details as can be provided.
glad things are back to normal, hope yall harden security. Thanks for your work
Well, I don’t technically work on the lemmy codebase (I have my hands full with adminning 3 instances and working on Hajkey), but yes I agree it’d be nice if the lemmy dev team could spend some time reviewing and improving the security, in amongst all the other stuff they have to do since Reddit imploded.
@supakaity that’s a 500 … Other source?
Something still seems broken on the home page. Multiple browsers, clearing cookies, private mode, etc have the same error message. Voyager is also unable to log in. Memmy working ok.
Home page and almost every link from the home page look the same.
Sorry about this. It was caused by an erroneous emojo making the site info endpoint fail to load. Issue is fixed now.
I noticed right away, thanks for the hard work!