Last night the instance lemmy.world suffered a JavaScript injection attack. The attack set out to steal login cookies of users upon visiting infected threads, primarily targeting admins.

Potentially Affected Data

  • E-Mail address stolen and/or changed (if provided in user settings)
  • Password changed

Mitigations

Malicious comments have been replaced by a removal message. I have deployed the UI hotfix and @ludrol@bookwormstory.social has deleted all Custom Emoji until it is clear whether those are safe to use. Additionally all login sessions have been invalidated as a safety precaution as well, any cookies that were stolen are now rendered useless.

Conclusion

So far it does not seem like this instance was affected.

If you are not using bookwormstory.social and your instance is not on UI Version 0.18.2-rc.1 please be aware that you are likely still at risk of the attack, please check for any announcements of your instance administrators.

Details of the vulnerability are here

    • NeshuraOPMA
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Such is the life of server admins I guess 😅

      • SJ_Zero@lemmy.fbxl.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        At least it’s straightforward to do. At some point I may even automate the process like I have on my other instances.