XSS is a blanket term for vulnerabilities that allows attackers to inject client-side scripts. Looks like someone is already identified and submitted a pull request that contain a fix: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
XSS is a blanket term for vulnerabilities that allows attackers to inject client-side scripts. Looks like someone is already identified and submitted a pull request that contain a fix: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
You would think an admin account would have 2fa enabled (unless the hack was due to a security issue in lemmy itself, but it doesn’t seem to be the case).
It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?
Pictrs probably didn’t honor EXIF rotation metadata, or strip them entirely for privacy reason.
I haven’t been to Reddit for a few days and they did these stuff already? Let’s keep this up.
Reddit used to be open source and the password was hashed using bcrypt.
I’ll have more respect if the leak were done by disgruntled employees, but this attempt to leak is done by a ransomware operator who failed to extort them in the first place.
Ransomware operators are scum and should not be trusted, let alone paid.
Heck, you don’t even need to enter the community in the !community@instance
format. Simply copy pasting the community url like https://lemmy.world/c/communityname
to the search field works as well.
Decentralized Identity could be implemented relatively easily just by allowing users to enter a their public key, like in git or PGP. How to sync the data is a different matter though. Maybe you can enter a username (e.g. @user@instance) in your instance’s search field and have it federated to your account there if the cryptographic signature matches?
And give up their power as mods of a large subreddit and starting again from scratch? Most of them probably aren’t willing to do that.
This is actually good for the google domain’s customers. Previously, if your google account somehow got banned, either legitimately or by mistake, you’ll lose access to your domain account as well.
I see a new lemmy-ui docker image has been pushed an hour ago, tagged
0.18.2-rc.1
. Anyone know if it fixed the issue?Edit: yep, it’s fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1