Skip Navigation
I'm going to assume the admins here all have 2FA on their accounts, right?

  • Looks like you're right, admins will just need to update the JWT secret.

    •
    I'm going to assume the admins here all have 2FA on their accounts, right?

  • Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!

    •
    Beehaw is also down, but they elected to do it

  • Smart move. I'm surprised more instances aren't doing this.

    • Deleted
    *Permanently Deleted*

  • FWIW, right now it seems unlikely that your password was accessible to anyone. Your login cookie may have been taken if you accessed Lemmy on a web browser (apps are likely fine), so you would want to clear your Lemmy cookies and cache once this is over.

    But I'm speculating, and changing your password will definitely help!

    • Deleted
    *Permanently Deleted*

  • This seems to be a front-end JavaScript exploit, so theres's a good chance that this is a Lemmy problem, not a Lemmy[dot]world problem. Don't be surprised if the issue starts spreading to other instances.

    If I were running a server, I would take it offline until a patch is released (Beehaw did this, to be proactive).

    • InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)SP
    spiderplant @infosec.pub
    Posts 0
    Comments 5