Note

This information is based off of early reports I have seen. I don’t claim to know the extent to which any damage was done and as such recommend a password reset (two-factor authentication would not be of use if authentication tokens were compromised), but we do know that this was a Javascript injection.

Update

As of right now, it seems that the vulnerability should have only exposed JWTs, which have been invalidated by those instance administrators. I’d still recommend a password rotation just because, but you should be alright.

==========

With the recent Lemmy.world incident, I’d like to update you all. This vulnerability could not have affected you had you been using only Memmy while browsing. It was a Javascript injection, and as Memmy does not execute any Javascript, there is no attack surface here.

The only case where this could have affected you would be if you had been signed in to your account inside of the in-app browser or the default browser and opened one of these posts. That however would not be something with Memmy itself, but rather the accessing of the PWA.

Regardless, as we don’t actually know what happened, I’d recommend changing passwords. If any JWTs were compromised during this, regardless of 2FA status these tokens could be used to authenticate with your account.

From what I have seen, this was an issue that was limited to Lemmy.world, as supposedly they were running a custom frontend build. Other than that, I don’t know anything else.

Also, for the record, there is only one instance in this application where a webview is used, which is when viewing the terms of service which simply loads a local file from the app assets.

Any questions, I’ll try to answer them but you’d be better off asking people more knowledgeable about the incident.

As always, this is a good time to go over your online security practices.

It is strongly recommended that you use a password manager such as Bitwarden or 1Password if you do not use one already. This can help prevent credential surfing if you have used the same password over many sites, preventing you from having several of your accounts breached from a single breach.

If you have used a password on Lemmy.world that you have used on other sites, you should change those other sites passwords immediately.

Email addresses may have been breached during the attack and this may result in increased spam and phishing emails. It is strongly advised that you throughly verify any emails that you receive after this, particularly ones relating to login requests, messages from banks or payment providers, such as PayPal or government institutions.

Thank you for using Memmy and stay safe!

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    I feel really stupid but how do you sign out of the app? I also cannot find create a new password like one user said under profile settings

    • @cheezoid
      link
      English
      4
      edit-2
      1 year ago

      Don’t create a new password, just change whatever is currently in the password field on your account settings to something random and save it. It should say “invalid login” or something similar. Then just put in your actual password and save it again. That seemed to work for me.

      edit: I just noticed I have to repeat this process every time the memmy app is closed out and re-opened, which is unfortunate.

      edit 2: as pointed out by afoutopatisa and others, there’s no need to enter nonsense and then your original password again, you can simply hit “save” in your original settings and refresh to achieve the same result

      • @deadhead
        link
        English
        51 year ago

        Same for me, hope this gets addressed soon

      • afoutopatisa
        link
        English
        31 year ago

        You don’t have to write a new password just hit Save with existing password, it will force a new login

        • @cheezoid
          link
          English
          31 year ago

          Very true, thanks for the update

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        I am hitting the same issue. Only on Memmy though so hopefully this can be resolved quickly.

    • Ghostalmedia
      link
      English
      3
      edit-2
      1 year ago

      You’re not stupid, there is no way to remove an account if you only have one account.

      Delete and reinstall the app to logout.