CMahaff

And if the thought of setting up another account annoys you, I've made a tool that will migrate your account settings, subscriptions, and blocks: https://github.com/CMahaff/lasim

Now that does require the source instance to be up long enough to download your profile, but after that you can upload to any instance you want and be running like nothing changed in like 2 minutes.

A super minor one, but there's a new "infinite scrolling" boolean added to the user settings.

For rust app developers, the publishing of lemmy_api_common crate is also discontinued with this release: https://github.com/LemmyNet/lemmy/commit/5cd4c6c5868c8bec964b6065d079f3a057885be7

For LASIM I switched to point at the Git Repo + Specific Tag in my Cargo.toml.

Another thread linked to this post which has some digging / speculation into what may have gone wrong: https://lemdit.com/post/262746

I made a tool that can help: https://github.com/CMahaff/lasim

It allows you to synchronize subscriptions, blocks, and profile settings between accounts.

(though FYI different versions only gracefully handle a specific API version at a time so there's some limitations right now as instances upgrade from 0.18.2 to 0.18.3 - see my comment here: https://lemmy.ml/comment/2094948 )

EDIT: Second link isn't working - must be a Lemmy bug. But you can see it as a recent post on my profile.

Removed "and above" from page and instead added a note to always get the latest version if your version isn't listed as supported explicitly.

Thanks for your kind words, I'm glad it has helped you!

LASIM author here, ironically on my own alt: Just an FYI that support for Lemmy 0.18.3 is not yet out, but keep an eye out for it soon (I have it working on a branch but I need to test it more before release).

This is the first breaking API change since it's creation, so here are the limitations:

• Old version (0.1.2) will only support API 0.18.1 and 0.18.2
• New version (0.2.0) will only support 0.18.3 (and above until there are more breaking API changes)
• Profiles downloaded with 0.1.2 (and below) will automatically be converted to work with 0.2.0.

So that all means:

• You can use the old LASIM to migrate between 0.18.2 Lemmy instances
• You can use the new LASIM to migrate between 0.18.3 Lemmy instances
• You can use the old LASIM to download from an 0.18.2 instance then use the new LASIM to upload to a 0.18.3 instance
• You cannot use the new LASIN to download from a 0.18.3 instance and then the old LASIM to upload to a 0.18.2 instance (unless you are comfortable doing some manual work editing the JSON file so "old LASIM" understands it).

This will be true of every release with breaking API changes.

EDIT: PR is out. Once it builds, I'll publish a new release! https://github.com/CMahaff/lasim/pull/21

EDIT 2: Release is published! https://github.com/CMahaff/lasim/releases/tag/v0.2.0

The whole site is having stability issues at the minute.

There was ddos attack on it earlier and it hasn't really recovered.

There are tools that can help! https://lemmy.ml/post/1875767

I made LASIM - it's takes 2 API calls to fetch your subscriptions (1 login, 1 profile), so with lemmy.world being 50/50 on those calls, you might have to try a few time, but once you have em, it will be easy to push them to a new instance.

1. Inject exploit into a comment using custom emoji.
2. Front-end parses the emoji incorrectly allowing JavaScript to be injected.
3. JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
4. Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.

To answer your other questions:

• IMO there probably should be better parsing to remove this stuff from the back-end, so I'm not sure the front-end solution is the complete solution, but it should get things largely under control.
• Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
• Probably needs to be a mass reset of ALL passwords since lots of people's tokens were sent during the attack, so their accounts could be compromised.

I don't think so, but I'd love to be proven wrong!