Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.world/users/mwadmin/statuses/110688515627268847">Mastodon.world admins (mwadmin@mastodon.world)'s status on Monday, 10-Jul-2023 16:11:20 JST</a><a href="https://mastodon.world/@mwadmin" title="mwadmin@mastodon.world"><img src="https://gnusocial.jp/avatar/147689-48-20230710071120.webp" width="48" height="48" alt="Mastodon.world admins" style="position: absolute; left: 0; top: 0;">Mastodon.world admins</a></section><article><p>Lemmy.world (Among others) was hacked. It’s fixed now, see <a href="https://lemmy.world/post/1290412" rel="nofollow noreferrer">https://lemmy.world/post/1290412</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1768301#notice-3470514">In conversation</a><time datetime="2023-07-10T16:11:20+09:00" title="Monday, 10-Jul-2023 16:11:20 JST">Monday, 10-Jul-2023 16:11:20 JST</time> <span>from <span><a href="https://mastodon.world/@mwadmin/110688515627268847" rel="external" title="Sent from mastodon.world via ActivityPub">mastodon.world</a></span></span><a href="https://mastodon.world/@mwadmin/110688515627268847">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: lemmy.world</div><h5><a href="https://lemmy.world/post/1290412">Lemmy.world (and some others) were hacked - LemmyWorld</a></h5><div></div></header><div>While I was asleep, apparently the site was hacked. Luckily, (big) part of the
lemmy.world team is in US, and some early birds in EU also helped mitigate this.
As I am told, this was the issue: - There is an vulnerability which was
exploited - Several people had their JWT cookies leaked, including at least one
admin - Attackers started changing site settings and posting fake announcements
etc Our mitigations: - We removed the vulnerability - Deleted all comments and
private messages that contained the exploit - Rotated JWT secret which
invalidated all existing cookies Because not all instances are aware, we will
not go into detail on the vulnerability yet. Many thanks for all that helped,
and sorry for any inconvenience caused!</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Mastodon.world admins (mwadmin@mastodon.world)'s status on Monday, 10-Jul-2023 16:11:20 JST Mastodon.world admins
Lemmy.world (Among others) was hacked. It’s fixed now, see https://lemmy.world/post/1290412
In conversationMonday, 10-Jul-2023 16:11:20 JST from mastodon.worldpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: lemmy.world
  Lemmy.world (and some others) were hacked - LemmyWorld
  While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this. As I am told, this was the issue: - There is an vulnerability which was exploited - Several people had their JWT cookies leaked, including at least one admin - Attackers started changing site settings and posting fake announcements etc Our mitigations: - We removed the vulnerability - Deleted all comments and private messages that contained the exploit - Rotated JWT secret which invalidated all existing cookies Because not all instances are aware, we will not go into detail on the vulnerability yet. Many thanks for all that helped, and sorry for any inconvenience caused!

Public

Embed Notice

HTML Code

Corresponding Notice