this post was submitted on 10 Jul 2023
53 points (100.0% liked)
Sopuli's Default Community
1265 readers
1 users here now
Community for all jibber-jabber. As this is a hard-coded community for every instance, we may get this doing something useful.
Simple test posts to [email protected]
Meta-discussion regarding the instance and support in problem situations [email protected]
Yhteisö kaikenlaiselle pälätykselle. Koska tämä on kovakoodattu yhteisö jokaiselle instanssille, voimme tehdä tällä ehkä jotain hyödyllistä.
Yksinkertaiset testiviestit mielellään [email protected]
Instanssia koskeva metakeskustelu ja tuki ongelmatilanteissa [email protected]
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So there's no risks for regular users if they get hacked? Asking for learning purposes.
Depends on the exploit really, but if they have admin access they have access to the info in your profile, so probably know your email address. I don't know enough about the backend infra to be sure, but I doubt Lemmy stores passwords in plain text in DBs, etc. and although they have admin access, they probably don't have access to the DB (again, a bit unfamiliar with all possibilities, but typically the DB is on a separate container/host/service independant of the frontend).
Does anyone have a link for details on the hack/exploit?
https://github.com/LemmyNet/lemmy-ui/pull/1897
Stealing instance admin auth tokens via cross site injection into custom emoji title.
Thanks for the explanation!