layla

We have a test instance of Lemmy 0.18.2 running with our patches on top ready for testing:

https://test.hexbear.net

Lemmy has been seeing a lot of activity recently, so this release brings with it a lot of changes (some of which we are hoping are going to fix some of the jank y'all have probably been experiencing). You can see the full list of changes here: https://github.com/LemmyNet/lemmy/releases. This is also the release that removes websockets!

Disclaimer: Anything you post will be nuked after we're done testing, nothing is being saved from the test instance.

If you encounter a bug please let us know what happened, how we can reproduce it, and your OS & browser in the comments below. The more detail, the more likely we can fix things!

Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.

The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.

The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.

If you were using the site during the above time window, please double check your account settings to see if anything was changed.

Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).

I regret to inform you it's Not That Good