I would be cautious about viewing any Lemmy.world communities right now, and the Beehaw admins should make sure their credentials are locked down in case they get targeted next.

  • mutant@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    this is fucking hilarious, this is going to be a blow to confidence in the security of the fediverse
    i wonder if the websites that covered the reddit protest will cover this

    • loobkoob@kbin.social
      link
      fedilink
      arrow-up
      25
      ·
      edit-2
      1 year ago

      Surely it’s not really any different to any other website’s admin having their account hacked/their password socially engineered? It’s not an inherent flaw in the fediverse as a whole, just a human issue.

      EDIT: see @Zephyrix’s comment below. It was a security flaw.

      • Zephyrix@kbin.social
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        1 year ago

        This was not a social engineering. It was a JavaScript injection that stole browser cookies, bypassing password changes and 2FA.

        However, it seems lemmy.world was running a custom version of the UI. So it’s possible that it only affected their instance. Hard to say at this point.

        • loobkoob@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Oh, well in that case it’s a little more concerning. But I don’t expect it to be a long-term issue. It certainly isn’t a serious blow to my confidence in the security of the fediverse, that’s for sure! It being a somewhat minor breach may be a blessing, also; it means there’ll almost certainly be more of a focus on security going forward before something more serious happens.

    • chinpokomon@beehaw.org
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      Arguably it is a strength. Unless a user has used the same username and password for different instances, their credentials on one instance are shielded from exploit over the whole network. The potential risk can only really be determined by how security was breeched. If it was social engineering, then there isn’t any other direct concern. If it was a vulnerability in software, then the same attack could be played out on other instances, but that’s not any different than other systems like a Linux kennel exploit.

    • The Cuuuuube@beehaw.org
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      Run alpha software, experience alpha security flaws. It’s not going to really say anything about the Fediverse at large, but it’s more a tale of caution for the Threadiverse specifically, which is FAR younger, but has grown explosively, especially given that Lemmy is early beta status and KBin is alpha status

    • s08nlql9@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      it would be a lesson for all instances, not just world. i hope they provide more details so others can take note