Server-side authentication bug; maybe fallout from the recent attack? I’d expect instability for the next day or so as auth & related problems shake out.
Summary: Attacker found a way to inject JavaScript into the sidebar, letting them steal auth tokens (“JWTs”), including from an admin account. They then used the stolen admin access to vandalize the site. At one point, the attacker used the stolen admin account to falsely announce that the attack had been remediated. Later that day, the attack actually was remediated by the site owner (Ruud) and the vulnerability was patched in the Lemmy code.
Yep lemmy.world is live (stress) testing in production. It has its benefits, like when a set of patches were committed to vastly improve performance that was a big problem on a huge instance like lemmy.world but not on the smaller ones, and its downsides with all the random issues that pop up which happen when testing live in production.
Lemmy has been improved at light speed over the last couple of weeks. When I joined around 3 weeks ago everything felt prototype-like. But now lemmy.world back-end with Voyager front-end feels almost like Apollo quality. At this rate, it definitely will, in another couple of weeks.
Server-side authentication bug; maybe fallout from the recent attack? I’d expect instability for the next day or so as auth & related problems shake out.
Attack? I am outta the loop. What happened?
https://lemmy.world/post/1290412
Summary: Attacker found a way to inject JavaScript into the sidebar, letting them steal auth tokens (“JWTs”), including from an admin account. They then used the stolen admin access to vandalize the site. At one point, the attacker used the stolen admin account to falsely announce that the attack had been remediated. Later that day, the attack actually was remediated by the site owner (Ruud) and the vulnerability was patched in the Lemmy code.
Appreciate the info.
Removed by mod
Production services are actually fuckin’ goddamn difficult, and I add another swear to this comment for every time I have to try reposting it.
Yep lemmy.world is live (stress) testing in production. It has its benefits, like when a set of patches were committed to vastly improve performance that was a big problem on a huge instance like lemmy.world but not on the smaller ones, and its downsides with all the random issues that pop up which happen when testing live in production.
Lemmy has been improved at light speed over the last couple of weeks. When I joined around 3 weeks ago everything felt prototype-like. But now lemmy.world back-end with Voyager front-end feels almost like Apollo quality. At this rate, it definitely will, in another couple of weeks.