Hi everyone.

Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.

The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,

Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.

If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.

Sorry that this happened, if you have any questions please contact @[email protected] or myself.

blobcat, heart

  • Reepus
    link
    fedilink
    English
    101 year ago

    Yeah I cant even access the site anymore, even if I reset cookies.

    • crisbyonions
      link
      English
      61 year ago

      I’m having the same issue. I can’t access the website at all and I definitely cannot login on my app (Connect). I’ve cleared my cookies several times and tried to access the page to no avail.

    • Erikatharsis
      link
      fedilink
      4
      edit-2
      1 year ago

      I’m facing the same issue. I tried disabling JS by setting Blåhaj Lemmy to “untrusted” on NoScript, and this seemed to work the first time I tried it, but not any subsequent times.

      The message I see is, “There was an error on the server. Try refreshing your browser. If that doesn’t work, come back at a later time. If the problem persists, you can seek help in the Lemmy support community or Lemmy Matrix room.”

      Opening up the split console in Firefox Web Developer Tools, I see “500 Internal Server Error”. Comparing and contrasting with lemmy.world, I don’t see any other meaningful difference. I’ve also tried visiting Blåhaj Lemmy on Google Chrome on my Android phone, where I don’t have any extensions, but that gave me the same error message.