Hi everyone.

Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.

The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,

Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.

If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.

Sorry that this happened, if you have any questions please contact @ada@lemmy.blahaj.zone or myself.

blobcat, heart

  • tupewe (OFFICIAL)@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    Damn that was quick! I didn’t even notice LOL if it wasn’t for this post I would have thought that my account got logged off just for a bug :p

    Thank you and the lemmy devs for being so quick!! blobcat, heart

    out of curiosity, what was the youtube video?

    • tupewe (OFFICIAL)@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      By the way, I don’t know if this is related but I have an issue now after this

      I can log in using the web app but in Jerboa when I log in I can see Im logged in but I when I try to do something like commenting it tells me I’m not, then after reopening the app I’m fully logged off again, has this happened to someone else?

      • Still@programming.dev
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        you gotta sign out the master key used to authenticate your session was cycled, so you need to get a new one, jerboa gets confused cuz it already has one but is no longer valid

      • BlessedDog@lemmy.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        The master encryption key was rotated, meaning your current login creds/tokens are invalid and you have to login again.

  • Krrygon@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    Yeah thanks for being on top of things! That was a really quick fix by everybody. Glad to have this place back!

  • Reepus@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    I can no longer access my blahaj account, which sucks because ive done alot on it. Im not sure if its because Blahaj is down or my account is gone, I just cant get into my account anymore.

      • crisbyonions@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        I’m having the same issue. I can’t access the website at all and I definitely cannot login on my app (Connect). I’ve cleared my cookies several times and tried to access the page to no avail.

      • Erikatharsis@kbin.social
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        1 year ago

        I’m facing the same issue. I tried disabling JS by setting Blåhaj Lemmy to “untrusted” on NoScript, and this seemed to work the first time I tried it, but not any subsequent times.

        The message I see is, “There was an error on the server. Try refreshing your browser. If that doesn’t work, come back at a later time. If the problem persists, you can seek help in the Lemmy support community or Lemmy Matrix room.”

        Opening up the split console in Firefox Web Developer Tools, I see “500 Internal Server Error”. Comparing and contrasting with lemmy.world, I don’t see any other meaningful difference. I’ve also tried visiting Blåhaj Lemmy on Google Chrome on my Android phone, where I don’t have any extensions, but that gave me the same error message.

  • maegul@hachyderm.io
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    @supakaity

    Fittingly, given that the hack seemed to be through the custom emoji interface (?), this thread has some wonderful emoji action!!

    • Kaity A@lemmy.blahaj.zoneOPM
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      1 year ago

      Well, I don’t technically work on the lemmy codebase (I have my hands full with adminning 3 instances and working on Hajkey), but yes I agree it’d be nice if the lemmy dev team could spend some time reviewing and improving the security, in amongst all the other stuff they have to do since Reddit imploded.

  • CreamyWeenie@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    I just had issues logging in, so I’m gonna make a comment in case anyone else is having issues.

    TL;DR: Clear your cookies.

    I couldn’t log in from the main page, I would type everything correctly and it would give me a “logged in” popup in the corner, but I wouldn’t actually be logged in. For some reason though I ended up being able to log in from my profile page though, but I wouldn’t stay logged in unless I opened up my profile page and navigated from there. I was also able to log in from the main page while in a private window though, (incognito for chrome users) so I figured clearing my cookies would fix the issue. That’s what I ended up doing, and I was able to log in from the main page and this time I stayed logged in. Sorry for the ramble, but I just wanted to put down everything that happened since it’s clearly a bug with the site, and if someone were to fix this they’re gonna want as much details as can be provided.

  • NaN@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Something still seems broken on the home page. Multiple browsers, clearing cookies, private mode, etc have the same error message. Voyager is also unable to log in. Memmy working ok.

    Home page and almost every link from the home page look the same.