Update: Federation and community creation are now back online!

Hey all, there’s a hack floating around which spreads via federated comments and steals users’ Lemmy auth tokens. Lemmy.world and other large instances have been hacked, so we’re taking some precautions until this is fixed:

  • We’re logging everyone out so that auth tokens reset
  • We’re closing off federation and community creation until this is patched

FYI, there are no indications that anyone on our instance has been hacked. We did find ten comments with the code injection attack, which we’ve now scrubbed. But it’s very unlikely that this will cause harm at this stage. There are several steps between this and hacking the entire instance. (Also FYI for nontechnical users, the hack affected Lemmy logins and nothing else. Web browsers run all websites in a kind of “jail”)

Sorry for the inconvenience – growing pains. Updates to come as we learn more!

  • dcx@monyet.ccOPM
    0·
    1 year ago

    I’d prefer not to until we install a patch, since the exploit seems viral in nature (compromise one instance, use that to compromise the next, etc). So trusting one is like trusting all

    We’re testing that in dev so we might refederate later tonight. Or maybe tomorrow

    • zen@monyet.cc
      0·
      1 year ago

      I’m thinking mutual allowlists, but I guess never mind.

      by the way, where did you get the patch from, is it from the github issue?

      • dcx@monyet.ccOPM
        0·
        1 year ago

        Yep! It’s a really obvious one, just escape a bit of user / federation-facing input that wasn’t being escaped. 5-10 lines of code or something.

        • zen@monyet.cc
          2·
          1 year ago

          lemmy 0.18.3 is out, and from what i heard, it has a hardcoded 3-day timeout for federation health status.

          so, if an instance is uncontactable for 3 days it is marked as dormant, and no more federation traffic is sent to it.

          you might want to put it in the sop, in case federation ever needs to be turned off again, to try to bring it back up within 3 days.

          otherwise, other instances may mark monyet.cc as dormant, and the remote communities won’t get updates anymore.

          i think the check is scheduled once a day, so perhaps being marked dormant isn’t that permanent, but 3 days plus 1 of lost federation traffic could cause quite a bit of desynchronization.

        • zen@monyet.cc
          1·
          1 year ago

          okay, it’s probably this and a 0.18.2-rc.1 has just been tagged.

          maybe you can keep the mutual allowlists thing in mind, and perhaps also switching signups to require approval. both of these could be on the sop for the next time this happens (they haven’t fixed the jwt expiry thing, so…).