• CMahaff@lemmy.ml
    link
    fedilink
    English
    arrow-up
    41
    ·
    1 year ago

    I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

    • maegul (he/they)@lemmy.ml
      link
      fedilink
      English
      arrow-up
      30
      ·
      1 year ago

      Yep, same. It was also the most likely scenario.

      It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

        • darrsil@beehaw.org
          link
          fedilink
          English
          arrow-up
          15
          ·
          1 year ago

          Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can’t confirm that one).

          Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn’t work, go back to the other settings window and disable it.

          • bert@lemmy.monster
            link
            fedilink
            English
            arrow-up
            6
            ·
            1 year ago

            I am using 2fas with no issue and set it up using the method you described. So far, so good…in case anyone needed a vote of confidence!

      • RoundSparrow@lemmy.ml
        link
        fedilink
        English
        arrow-up
        17
        ·
        1 year ago

        The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.

        • CMahaff@lemmy.ml
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          Oh man, that would be brutal if they are resetting the password and it isn’t kicking the attacker out…

          • Max-P@lemmy.max-p.me
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 year ago

            That’s probably what happened here because they did revoke the admin’s access, but it continued.

            • CMahaff@lemmy.ml
              link
              fedilink
              English
              arrow-up
              6
              ·
              1 year ago

              The issue does say changing the password should kick the user out, but yeah, still not good.

                • CMahaff@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  edit-2
                  1 year ago

                  Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.

                  I hope the admin team is aware of this - not sure how one would even contact them.

                  • maegul (he/they)@lemmy.ml
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    1 year ago

                    Well, provided top level admin access to the server is still protected, a manual DB change ought to be rather doable right?

                    As for contacting the admins … the lead admin, ruud, is on mastodon and also admins one of the largest mastodon instances: mastodon.world. They are Dutch however, which means they’re likely asleep right now.

                    All of which raises the broader point about what good admin practice is. This is something the fediverse needs to get better at. In this case, as a bare minimum, every admin should be reachable at a location outside of their own instance.

                    Ideally, IMO, there’d be an “admin backline protocol” of some sort, where it’s super easy or even automatic that every admin of every instance can have an account on any instance they federate with for the purposes of communication etc.

      • G59@lemmy.mlOP
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        The hacked MichelleG account actually commented that it did not have MFA enabled lol. This was on the lemmy.world shitpost community, on one of the posts making memes about the situation. Hilarious that the hacker decided to share that.

      • Rentlar@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        OK good to know that the server itself is unlikely to be compromised. I’ll be changing passwords to all my accounts once this blows over.