Skip Navigation

Update on lemmy hack: Long story short - we're safe here.

lemmy.ml Recap of the Lemmy XSS incident & steps for mitigation - Lemmy

# UPDATE: The latest RC version of Lemmy-ui (0.18.2-rc.2) contains fixes for the issue, but if you believe you were vulnerable, you should still rotate your JWT secret after upgrading! Read below for instructions. Removing custom emoji is no longer necessary after upgrading. Original post follows: -...

See post for details, but a quick tl;dr:

Malicious actors were able to inject code using a XSS (cross site scripting) attack and steal JWT tokens for users. Any user who had their token compromised has potentially had their password and email address compromised.

This only applies to instances that have local custom emojis. Posts with custom emojis that are federated in from a remote server are not affected.

We currently have no custom emojis, so if your account is here on TTRPG.network, your account is safe.

If your account is remote to an affected server, i would recommend changing your password asap

0
0 comments