this post was submitted on 10 Jul 2023
1 points (100.0% liked)

Fediverse

9 readers
2 users here now

This magazine is dedicated to discussions on the federated social networking ecosystem, which includes decentralized and open-source social media platforms. Whether you are a user, developer, or simply interested in the concept of decentralized social media, this is the place for you. Here you can share your knowledge, ask questions, and engage in discussions on topics such as the benefits and challenges of decentralized social media, new and existing federated platforms, and more. From the latest developments and trends to ethical considerations and the future of federated social media, this category covers a wide range of topics related to the Fediverse.

founded 2 years ago
1
Tf happened to lemmy.world? (kbin.social)
submitted 2 years ago* (last edited 2 years ago) by ThatOneKirbyMain2568@kbin.social to c/fediverse@kbin.social
12 comments fedilink hide all child comments
 

Went there and got some… less than savory images. Do not recommend going there.

Did it get hacked or smth?

top 11 comments
sorted by: hot top controversial new old
[–] 0xtero@kbin.social 1 points 2 years ago* (last edited 2 years ago)

Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

There might have also been an admin account compromise at lemmy.world involved. Time will tell if these are related.

Edit: Looks like the injected JS code also steals login tokens from your browser, so that explains the admin compromise. Probably a good idea to not visit Lemmy sites for time being (or block Javascript in your browser, which is always a good idea).

[–] Vilian@lemmy.ca 0 points 2 years ago (1 children)

if you has account there, maybe, it depends how good is the cryptograph used in the lemmy.world, but if they got hacked, it's means that others intances can too, so be sure to always have a different password for every account, and this is a rule to every account in the internet(you can use good and secure password manager)

[–] AJ@kbin.social 0 points 2 years ago (1 children)

Everything can be hacked. In cyber security, it's "when, not if"

[–] elscallr@kbin.social 0 points 2 years ago (1 children)

Yeah anyone not using randomly generated passwords at this point is just fucking up. I know exactly three of my passwords: the one for my email, the one for my password manager, and the one I'm likely to give out (streaming services and such). The worst anyone can do with the third is cancel my Disney+ or something, and it's really only given to my mom and sisters.

[–] curiosityLynx@kglitch.social 0 points 2 years ago (1 children)

Is salting password hashes so unknown that neither the lemmy devs nor the kbin dev(s?) have implemented it?

[–] elscallr@kbin.social 1 points 2 years ago* (last edited 2 years ago)

Well this was a JWT compromise, I think, but even still people use really bad passwords all the time. A salt is stored with the user record. The salt's job is to invalidate rainbow tables. If you have a collection of a million bad passwords you can check them all salted in a second or two. Obviously that'll depend on the hashing algorithm to an extent.

load more comments
view more: next ›