I’m about to perform this update in the next 10 minutes, all things going well there should be no downtime/instability.
Also updating to the latest pict-rs v0.4.0 release.
This is an important update as it addresses the Lemmy exploit found yesterday, as well as some other bugs.
The DB is backed up, I’ll post an update here once everything’s done.
As you know, the Lemdit ethos sets out our stance on federation, notably:
Defederating from other instances is an absolute last resort and we will only do so under the following circumstances:
- If their content has the potential to get us into legal trouble
- If they are acting as an attack vector towards us
burggit.moe is unfortunately the first instance whose content has the potential to get us into legal trouble, since they are "NSFW & Loli/Shota/Cub friendly". This type of cartoon child porn is illegal in New Zealand and many other countries.
I have become more aware of them in the wake of vlemmy.net going offline, since burggit.moe were the only instance that Vlemmy defederated before their disappearance a day later: https://lemm.ee/post/794588
To my knowledge burggit.moe is the only instance that supports this kind of content, so hopefully they will remain the exception. I hope you can understand my decision. Please let me know if you have any questions or concerns.
A Lemmy exploit has been used in the wild earlier to attack several instances, among which lemmy.world:
At the time it was believed that the exploit had something to do with the sidebar, so I temporarily restricted new applications and disabled the ability for users to create their own communities:
We have meanwhile learned that this vulnerability is present on any instance that has custom emojis defined, and is exploitable everywhere Markdown is available (posts, comments, private messages, the sidebar, etc).
As of now there is no official patch for it, however a manual fix is described in this thread:
I have applied this fix to Lemdit to be safe, noting that we never had custom emojis enabled so we were never really at risk. 10 comments with the malicious code had federated to us (and were removed through my application of the fix), however you would've still been safe viewing these comments from Lemdit.
We're now back to having open registration and the ability for users to create communities without admin intervention.
I want to reassure you that we were not impacted by this exploit. As previously mentioned, the exploit was specifically linked to custom emojis and we never had those defined/enabled. Even though comments containing the malicious code would've federated to us, the code would not have worked here.
As a conscequence of applying the manual fix, all existing login sessions have been reset so you will have to log back into your Lemdit account.
I expect that a new Lemmy version will be released soon to properly address this vulnerability - I will be patching us to it as soon as it's available.
Let me know if you have any questions or concerns.
If this is true, then any Lemmy instance can potentially be targetted in this way.
As a precaution, I have temporarily switched off open registration and the ability to create new communities. This means that:
I am doing this out of an excess of caution, to reduce the risk that we are impacted by this exploit until a fix is released, or until it's confirmed to be nothing.
These are only temporary measures meant to protect us until everything gets resolved.
cross-posted from: https://lemdit.com/post/44993
It looks like lemmy.world had been hacked.
The instance has been defaced, the site is only intermittently accessible, sometimes it redirects to a random video or other nasty URLs
DO NOT ATTEMPT TO LOG INTO LEMMY.WORLD UNTIL THIS IS CLEARED UP AND OFFICIAL ANNOUNCEMENTS ARE MADE BY ITS ADMIN.
My recommendation is to stay away entirely for the time being and monitor other large instances for updates.
Edit: Please refer to https://lemmy.ml/post/1895271 or https://lemdit.com/post/44993 for further updates.
It looks like lemmy.world has been hacked.
The instance has been defaced, the site is only intermittently accessible, sometimes it redirects to a random video or other nasty URLs
DO NOT ATTEMPT TO LOG INTO LEMMY.WORLD UNTIL THIS IS CLEARED UP AND OFFICIAL ANNOUNCEMENTS ARE MADE BY ITS ADMIN.
My recommendation is to stay away entirely for the time being and monitor this thread for updates: https://lemmy.ml/post/1895271 (https://lemdit.com/post/44963)
Update:
Initial indications are that this was particular to lemmy.world and not a symptom of wider Lemmy vulnerabilities.
The short of it is:
There's more discussion in this thread: https://feddit.nl/post/458654
From what I can tell, this has nothing to do with their domain expiring / them forgetting to pay their domain bill. WHOIS records show it had been registered for many years, and domain registration is paid for in advance:
The domain status appears to have changed. The June 10th 2023 WHOIS data showed it as:
This is what you expect for a domain that is not currently being transferred.
The status now is:
Something is clearly going on with the domain, and it's not forgetting to pay a bill. All DNS records are gone, so this doesn't look like an oopsie there either.
I think all of these are possibilities:
I think these are unlikely:
It will be interesting to see how this develops. If vlemmy is truly gone, then this is a significant loss to the Fediverse, as they were the only larger Lemmy instance to have a no defederation policy.
What are your thoughts?
cross-posted from: https://lemdit.com/post/35084
Today I received this text message:
- Opening the URL from a desktop computer redirects to the real NZ Post website.
- Opening the URL from mobile shows a convincing spoofed NZ Post tracking page:
The objective of the scam is to get you to click on "Schedule a Redelivery" and give them your personal details:
They will use this information to contact you and attempt to scam money from you, as well as try any future scams they may come up with.
The combination of URL + believable phishing page makes this scam particularly easy to fall for. If you're from NZ, then it's a good idea to warn your friends and family about it.
I will report the domain but it usually takes a very long time for anything to be done in these cases.
Today I received this text message:
The objective of the scam is to get you to click on "Schedule a Redelivery" and give them your personal details:
They will use this information to contact you and attempt to scam money from you, as well as try any future scams they may come up with.
The combination of URL + believable phishing page makes this scam particularly easy to fall for. If you're from NZ, then it's a good idea to warn your friends and family about it.
I will report the domain but it usually takes a very long time for anything to be done in these cases.
I’m about to perform this update in the next 10 minutes, all things going well there should be no downtime/instability.
Also updating to the latest pict-rs v0.4.0-rc.14
The DB is backed up, I’ll post an update here once everything’s done.
@delendum
@lemdit.com