this post was submitted on 10 Jul 2023
356 points (99.2% liked)

Fediverse

17776 readers
40 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked.

you are viewing a single comment's thread
view the rest of the comments
[–] CMahaff@lemmy.ml 30 points 1 year ago (1 children)

I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

[–] maegul@lemmy.ml 21 points 1 year ago (4 children)

Yep, same. It was also the most likely scenario.

It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

[–] CMahaff@lemmy.ml 14 points 1 year ago (1 children)
[–] darrsil@beehaw.org 9 points 1 year ago

Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can't confirm that one).

Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn't work, go back to the other settings window and disable it.

[–] RoundSparrow@lemmy.ml 12 points 1 year ago (1 children)

The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.

[–] CMahaff@lemmy.ml 7 points 1 year ago (2 children)

Oh man, that would be brutal if they are resetting the password and it isn't kicking the attacker out...

[–] Max_P@lemmy.max-p.me 7 points 1 year ago

That's probably what happened here because they did revoke the admin's access, but it continued.

[–] RoundSparrow@lemmy.ml 5 points 1 year ago (1 children)
[–] CMahaff@lemmy.ml 5 points 1 year ago (1 children)

The issue does say changing the password should kick the user out, but yeah, still not good.

[–] RoundSparrow@lemmy.ml 5 points 1 year ago (1 children)

This issue from 2 weeks ago was the one I was thinking of, it's worse: https://github.com/LemmyNet/lemmy/issues/3364

[–] CMahaff@lemmy.ml 3 points 1 year ago* (last edited 1 year ago)

Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.

I hope the admin team is aware of this - not sure how one would even contact them.

[–] G59@lemmy.ml 6 points 1 year ago

The hacked MichelleG account actually commented that it did not have MFA enabled lol. This was on the lemmy.world shitpost community, on one of the posts making memes about the situation. Hilarious that the hacker decided to share that.

[–] Rentlar@lemmy.ca 2 points 1 year ago

OK good to know that the server itself is unlikely to be compromised. I'll be changing passwords to all my accounts once this blows over.