this post was submitted on 10 Jul 2023
1 points (100.0% liked)

Main

88 readers
1 users here now

The main community for discussions about how this server is maintained.

founded 1 year ago
MODERATORS
 

Dear LemmyUnchained.net Community,

I'm reaching out to provide an important update about a recent security incident. Please be assured that our instance was not directly targeted, but it's crucial that everyone is informed and understands what happened.

While many of us were offline, a vulnerability was discovered and exploited on the lemmy platform. This led to the leak of JWT cookies from several users, including at least one admin, allowing the perpetrators to alter site settings and post misleading announcements. While it appears our instance was not involved in the leak, this was a vulnerability that could have effected any instance.

However, the dedicated developer team, as well as a huge number of volunteers in the community, quickly sprung into action. Here's a brief summary of their swift response:

  • They identified and patched the vulnerability.

  • All comments and private messages containing the exploit were immediately deleted.

  • The effected instanced rotated the JWT secret, which invalidated all existing cookies.

Please note, we're not providing details of the vulnerability at this time. This is to prevent any issues for those who may still be unaware and potentially vulnerable.

Lemmyunchained wants to extend a heartfelt thanks to all those who stepped in to assist.

In response to this incident, we've taken several additional security measures, including the removal of certain custom data from our databases, the replacement of content containing the exploit, and the rotation of our JWT secret. Due to these changes, you may find you've been logged out and will need to sign back in.

However, for the sake of security, we're not providing specific details about these measures at this time.

On a positive note, while our site was offline, we upgraded from version 18.0 to version 18.1.

Again, I apologize for the sudden offline period, and want to reassure you that it was necessary for the safety and security of our community. We deeply appreciate your understanding and continued support.

Here's to moving forward together, stronger and safer.

Best regards, LU

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here