Hi everyone.
Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.
The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,
Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.
If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.
Sorry that this happened, if you have any questions please contact @[email protected] or myself.
Damn that was quick! I didn’t even notice LOL if it wasn’t for this post I would have thought that my account got logged off just for a bug :p
Thank you and the lemmy devs for being so quick!!
out of curiosity, what was the youtube video?
By the way, I don’t know if this is related but I have an issue now after this
I can log in using the web app but in Jerboa when I log in I can see Im logged in but I when I try to do something like commenting it tells me I’m not, then after reopening the app I’m fully logged off again, has this happened to someone else?
you gotta sign out the master key used to authenticate your session was cycled, so you need to get a new one, jerboa gets confused cuz it already has one but is no longer valid
Ohhh it works now! Since it said I wasn’t logged in I thought that meant I wasn’t logged in but apparently not :p
The master encryption key was rotated, meaning your current login creds/tokens are invalid and you have to login again.