multiple lemmy instances are going down to a js injection or admin password hack

Sopuli's Default Community@sopuli.xyz – 41 points – 1 years ago

lemmy.world and lemmy.blahaj.zone got hacked, admins in sopuli.xyz should enforce 2fa for admins and possibly disable/ look into possible injections from the community sidebar

You are viewing a single comment

View all comments Show the parent comment

It's highly unlikely 2FA is enough to mitigate this kind of an attack. It's a security vulnerability in lemmy itself, and they are stealing your access token instead of trying to log in as you.

edit: People, please, no reason to downvote admin ACKs. Just means they've at least read the message, after that, it's their instance and they'll do as they see fit.

OK.

Did Sopuli have any custom emojis enabled? Based on what I read about the hack the vulnerability was linked with those as detailed here.

Nope, there are no custom emojis.

Thank you for answering!

Once this vulnerability gets fixed, I could make a thread to !meta@sopuli.xyz about suggesting custom emojis for Sopuli.