this post was submitted on 10 Jul 2023
15 points (100.0% liked)

Moving to: m/AskMbin!

235 readers
6 users here now

### We are moving! **Join us in our new journey as we take a new direction towards the future for this community at mbin, find our new community here and read this post to know more about why we are moving. Thank you and we hope to see you there!**

founded 1 year ago
15
Do we have anything to be concerned with from the Lemmy compromise? (kbin.social)
submitted 1 year ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments
 

I'm still not entirely sure how all this magic works but would I be correct to assume it's only thread data that's transfered across the fediverse? And because Kbin is Kbin, it shouldn't have the exploit the Lemmy software has right?

Appologies if this seems stupid - it's a genuine question

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 1 year ago

Yes and no. XSS vulnerabilities are a plentiful problem when there's user generated content and many developers. But this specific exploit targetted the markdown renderer interacting with custom emoji, which I don't think is a feature kbin has?

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

This is a good question. From what’s been released so far it looks like attackers were able to remotely steal authentication tokens, which are normally stored securely in your browser. With these authentication tokens, the attackers were able to access user data, and even in some cases they were able to take over administrator accounts.

From the post that Admin‘s made after the breach was fixed it looks like they spent some time trying to clean up the damage that was done. From what I can see they cleaned up most of the obvious stuff. That said there’s probably a long tail of smaller stuff that they missed that. Still hanging around out there if you notice something report it to an admin.

[–] [email protected] 7 points 1 year ago (1 children)

Just to add, as a user once you logout and login again this will kill the old token and issue a new one. This will stop an attacker who has stolen your token from accessing your account.

As for impact, it really depends on what data you have in your account. Assuming you are a heavy shitposter and do not store nuclear secrets in your account, the impact should be minimal.

[–] [email protected] 2 points 1 year ago

I wish that was an assumption we could make. How many other remfie nat guardsmen are holding classified shit to post for internet clout?

How many ex presidents do we have on Knin?

[–] [email protected] 3 points 1 year ago

I don't think there's any risk of someone stealing your kbin account with this, however I do think that admins can access more data than normal users, including from federated instances. They where only logged in on the web, and I think you can only access that kind of data by accessing the database more directly, which the exploit wouldn't have allowed the hackers to do.