Update 2: Clear cookies / cache and re-login. I can confirm we were NOT impacted by the security vulnerability but I have restricted sign ups and cleared existing logins. Security patch applied.

We were not impacted by the security incident. However, we do have a suspicious sign-up which I’ll be investigated. I have made sure there’s no custom emoji (attack vector) and will apply the patch as soon as possible (edit it’s been applied).

Browsing malicious posts from remote instances WILL NOT compromise your account. Just in case, I’ve also remove these posts from the database.

Stay tuned for more updates.

Update 1: Yiffit.net should not have been impacted by the recent security vulnerability. I’m investigating.

Hello, we should not have been impacted since we don’t have custom emoji. We did have one emoji, but I removed it hours ago.

I do have one suspicious sign up request. I’m investigating and will potentially invalidate everyone’s session so you might need to login again.

Also, my login credentials as admin to Yiffit are completely different to the ones to the server. If my account here were to be compromised an attacker would not get access to the server.

  • @WanderOPMA
    link
    fedilink
    3
    edit-2
    1 year ago

    The vulnerability gave attackers access to user accounts and admins accounts by stealing their session token.

    Admin accounts on Lemmy have no access to emails, IPs or anything similar. The worst that could have happened is them using the admins capability of permanently delete stuff from the database which can be fixed with importing a backup.

    Also, getting access to impacted users and admins private messages. But only for the users that viewed an infected post in an impacted instance.

    • Alexmitter
      link
      fedilink
      21 year ago

      Do you know how it did work? I see it seems to be related to custom emojis, that sounds like a interesting attack vector to me.

      • @WanderOPMA
        link
        fedilink
        31 year ago

        I haven’t been able to look deeper into it, but for some reason the user input wasn’t properly sanitized when a custom emoji from one local’s instance was used.

        I’ve got a few meetings now, but will try to look more into later.