this post was submitted on 10 Jul 2023

63 points (98.5% liked)

Fediverse

42 readers

5 users here now

This magazine is dedicated to discussions on the federated social networking ecosystem, which includes decentralized and open-source social media platforms. Whether you are a user, developer, or simply interested in the concept of decentralized social media, this is the place for you. Here you can share your knowledge, ask questions, and engage in discussions on topics such as the benefits and challenges of decentralized social media, new and existing federated platforms, and more. From the latest developments and trends to ethical considerations and the future of federated social media, this category covers a wide range of topics related to the Fediverse.

founded 1 year ago

Tf happened to lemmy.world? (kbin.social)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

30 comments fedilink hide all child comments

Went there and got some… less than savory images. Do not recommend going there.

Did it get hacked or smth?

top 27 comments

sorted by: hot top controversial new old

[–] [email protected] 16 points 1 year ago

Looks like an admin got compromised. They are in the process of cleaning it up.

[–] [email protected] 10 points 1 year ago (1 children)

if you has account there, maybe, it depends how good is the cryptograph used in the lemmy.world, but if they got hacked, it's means that others intances can too, so be sure to always have a different password for every account, and this is a rule to every account in the internet(you can use good and secure password manager)

[–] [email protected] 14 points 1 year ago (1 children)

Everything can be hacked. In cyber security, it's "when, not if"

[–] [email protected] 6 points 1 year ago (1 children)

Yeah anyone not using randomly generated passwords at this point is just fucking up. I know exactly three of my passwords: the one for my email, the one for my password manager, and the one I'm likely to give out (streaming services and such). The worst anyone can do with the third is cancel my Disney+ or something, and it's really only given to my mom and sisters.

[–] [email protected] 0 points 1 year ago (1 children)

Is salting password hashes so unknown that neither the lemmy devs nor the kbin dev(s?) have implemented it?

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Well this was a JWT compromise, I think, but even still people use really bad passwords all the time. A salt is stored with the user record. The salt's job is to invalidate rainbow tables. If you have a collection of a million bad passwords you can check them all salted in a second or two. Obviously that'll depend on the hashing algorithm to an extent.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (1 children)

Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

There might have also been an admin account compromise at lemmy.world involved. Time will tell if these are related.

Edit: Looks like the injected JS code also steals login tokens from your browser, so that explains the admin compromise. Probably a good idea to not visit Lemmy sites for time being (or block Javascript in your browser, which is always a good idea).

[–] [email protected] 2 points 1 year ago

Gee, who could have thought that allowing html in posts could be bad idea? -Every developer that has ever looked a OWASP.

[–] [email protected] 7 points 1 year ago (4 children)

Definitely looks like a hack. I'd imagine the code has an exploit that someone found

[–] [email protected] 8 points 1 year ago

It was an admin account that was compromised. No 2FA was required.

[–] [email protected] 3 points 1 year ago (2 children)

maybe?, but wihy others didn't get hacked at the too?, maybe was social engineering, or the admin got their credentials compromised, we can't be sure yet

[–] [email protected] 2 points 1 year ago

Also just because you've installed an instance and it works doesn't mean job done. Could've been simply settings.

[–] [email protected] 1 points 1 year ago

Others did get hacked, or are vulnerable to it, but aren't big enough targets?

Beehaw is closed, so they would have had to have an existing account to exploit the same bug (or go through something like Kbin), and Lemmy.world is the biggest Lemmy instance.

[–] [email protected] 2 points 1 year ago (1 children)

Unfortunate if true. Although it is also possible an admin's account was compromised. Would be far less worrying.

[–] [email protected] 9 points 1 year ago

It was a compromised admin. https://kbin.social/m/[email protected]/t/168212/Lemmy-world-is-compromised

[–] [email protected] 6 points 1 year ago

It did :(

[–] [email protected] 2 points 1 year ago (1 children)

Yes. They got hacked. An admin account got compromised, and the hackers exploited a bug in Lemmy-UI (the web site) that let them do things like redirect users to another site that let them run Javscript. It seems to have let them collect some user tokens from accounts, and access an admin account that way.

[–] [email protected] 1 points 1 year ago

If there's a bug in the UI that allows this to happen, there's a bug in the backend too. It looks like they're working on both though

[+] [email protected] -2 points 1 year ago (2 children)

[deleted]

[–] [email protected] 48 points 1 year ago (2 children)

Entitled in what way? They no longer liked how the service was being offered to them and stopped using it?

[–] [email protected] 37 points 1 year ago

Don't bother, you won't get an answer. The dude's a Spez meat-rider.

[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (1 children)

[–] [email protected] 5 points 1 year ago (1 children)

Heh, that guy again. I wonder if he's conducting some kind of experiment to see what happens when he gets his reputation score as low as possible?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I just assume drunken beatings were the only love he experienced as a child. Negative attention is still attention, and it's the most likely explanation for choosing negative as your default.

On the plus side, it always makes me stop and appreciate my own life. I could be that guy, but the only salty nuts I'm gargling are pistachios

[–] [email protected] 4 points 1 year ago (1 children)

Hey, so, real question for you:

Why are you bothering with all this?

There are a lot of people I don't agree with, some I find downright obnoxious, and the last thing I'd choose to spend my limited time on this earth doing is finding them and telling them why I dislike them. Is there truly nothing better for you, no positivity you can bring to people or things that you do like, that would be a better use of your time than... This?

You aren't punishing your hated foes. You are sticking it to them, you aren't, in fact accomplishing anything. Is reddit truly so pristine and flawless that there is no possible use of your time that could make it better, rather than the shouting into the void you are meaninglessly doing here?

Because, if not... That's awfully sad. Kid with progeria breaking his ribs catching a nerf football sad. Your dad ran over your cat level sad. I am begging you, for the sake of what I am going to call your soul without intending any supernatural implications: find something actually worthwhile to do with your life.

[–] [email protected] 10 points 1 year ago

Why are you bothering with all this?

Most of the time, they're looking for replies like yours. Or people who get outraged and upset and want to "defend" their favourite thing. They're after reactions. It makes their day.

Better way to engage is to hover your cursor over their name and click the "block" icon in the pop-up.

load more comments