We’ll share this post with other instance admins once there’s a bit more discussion, and maybe seeing this will get the ball rolling for other instances to have similar discussions.
I’ve contacted them to see if they would be willing to transfer it to us. Figured I’d have better luck as a Lemmy admin then just someone random. The domain name is under $20 a year so it’s a non issue.
My lemmy apps can no longer connect to the API (Memmy, mlem, thunder, wefwef etc) unless I manually navigate to a community, however won’t accept requests to make posts or comments. Anyone else having this issue?...
Currently it seems to be a vulnerability with custom emojis only, which this instance never had, so currently we shouldn’t be affected. However this is a developing situation and we will continue to monitor.
I can’t remember exactly but @Shadow is the one that takes care of those things, I think he’s got it set up to backup every 8 hours? I’m taking a rapid crash course in sysadmin but I’m not really ready to start poking at production server stuff yet.
In my opinion the “drama” was a critical part of immediately drawing attention to the voulnerabilty and bringing it to the attention of most instance admins very quickly.
Few things that have been added on my to-do list that I’ve learned from this.
We need more backend man power for coverage.
Major instances, and probably all instances should partner with another instance that’s in an opposite time zone for emergency response. Ideally having partnered admins and backend admins with no more than 8 hours difference between each one for 24 hour reliable coverage would be ideal. Partnered admins should in my opinion have each other’s phone numbers and have it set to bypass do not disturb.
We need to make sure users know how to contact admins off Lemmy for emergencies, as well as ensure that admins are tagged when a situation like this develops. (To my knowledge no lemmy.ca admin was tagged when this started to unfold.)
There’s more thoughts but I can’t remember them on 5 hours of sleep 😴
At this point I’m monitoring inter-instance communications channels non stop even though I should be in bed. I will be temporarily removing admins that have not responded to my inquiry to confirm if they have 2FA authentication turned on as initial access appears to have been gained due to lack of 2FA.
At this point it doesn’t seem like community sidebars have the voulnerabilty. We are fairly confident that they have identified the voulnerabilty and that lemmy.ca is safe as long as our admin accounts are properly locked down which we have confirmed.
We can put it in place as a internal policy. I’m 99% confident all admins on Lemmy.ca are using complex password generators, that are hopefully not LastPass with their history of being hacked 😅
Edit: yeah I’m tired. It’s like 3 hours post bed time. I’m supposed to be at work in just over 5 hours.
They been redirecting to lemon party and some weird video. Do not go to the website. This is the admin that been hacked: https://i.imgur.com/GbYyrBL.jpg...
I just successfully set up 2FA for an account on another instance that doesn’t have a verified email without any issues, so there’s no need to have done email verification to use 2FA.
[Lemmy.ca Discussion] What should we do about Lemmit.online
@bot has been subject to multiple reports from our users over the last while....
Any Canadian based Matrix servers? Or servers associated with lemmy.ca?
Was just interested in joining Matrix and since my lemmy account was on a Canadian server was wondering if my Matrix account could be too.
Apps no longer connect to lemmy.ca API
My lemmy apps can no longer connect to the API (Memmy, mlem, thunder, wefwef etc) unless I manually navigate to a community, however won’t accept requests to make posts or comments. Anyone else having this issue?...
lemmy.blahaj.zone Also Compromised
The site is down for now but do not try to login into it.
(URGENT) Lemmy has an XSS vulnerability in the sidebar
cross-posted from: sh.itjust.works/post/923025...
Lemmy.world is compromised
They been redirecting to lemon party and some weird video. Do not go to the website. This is the admin that been hacked: https://i.imgur.com/GbYyrBL.jpg...