this post was submitted on 10 Jul 2023
60 points (100.0% liked)

sh.itjust.works Main Community

7729 readers
1 users here now

Home of the sh.itjust.works instance.

Matrix

founded 1 year ago
MODERATORS
 

There’s plenty of posts on the topic about Lemmy.world being compromised, followed by the exploit being tracked back to an XSS exploit that I believe works on instances with custom emojis enabled. Many instances have been quick to jump on this such as feddit.uk and Behaw which took itself down temporarily.

Does this affect sh.itjust.works?

If so what are the admins doing about it?

Can we get some sort of admin post about this? Last update from them was some time ago.

Hopefully the admins have 2FA enabled on their accounts.

top 9 comments
sorted by: hot top controversial new old
[–] TheDude 77 points 1 year ago (3 children)

Hey all,

As others mentioned we did not have custom emojis so we were not affected by this particular attack. I have since upgraded our UI to 0.18.2-rc.1 which mitigates this XSS vulnerability.

[–] CannedTuna 13 points 1 year ago

Hey, thanks Dude for your reply! I’m glad to hear this instance isn’t affected and y’all already pushed a fix. Thanks for all you do.

[–] WheeGeetheCat 6 points 1 year ago

Good to know and a strong argument for not jumping to implement brand-new features (let the others be testers haha)

[–] Artemis 1 points 1 year ago (1 children)

I love that you chose TheDude for your account name as the admin of this instance. It just fits so well

[–] CannedTuna 1 points 1 year ago* (last edited 1 year ago)

The Dude abides.

Edit: [email protected] instead of “buy me a coffee”, it should be “buy me a White Russian”

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago) (1 children)

sh.itjust.works doesn’t have custom emojis and so is fairly safe from this specific exploit. Only local users of instances with custom emojis were at risk if they had visited a malicious page on their home instance.

Lemmy-ui pushed a fix for this vulnerability just 8 minutes ago, so we’ll see if that makes it here.

[–] CannedTuna 4 points 1 year ago

Thanks for the heads up!

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

2fa could be bypassed. Didn’t matter.

All instances were equally vulnerable. But not all were targeted.

Theres been advice on mitigations to prevent this particular vulnerability. If your instance has implemented them, shouldn’t be a problem.

A UI fix should be pushed shortly.

load more comments
view more: next ›