this post was submitted on 10 Jul 2023
17 points (100.0% liked)

Meta (slrpnk.net)

684 readers
1 users here now

Here we can discuss anything about this Lemmy instance/server itself.

Our XMPP support chat: Movim or XMPP client.

Please also refer to our Wiki

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
17
Security vulnerability on Lemmy (slrpnk.net)
submitted 2 years ago* (last edited 2 years ago) by [email protected] to c/[email protected]
20 comments fedilink hide all child comments
 

As you might have heard several Lemmy instances have been attacked via a security vulnerability in the browser frontend related to custom emoji.

While SLRPNK was vulnerable to it, we seem to have not been actively targeted and I took the instance down as a precaution as soon as I learned about it.

I have applied all the currently known mitigations, which means that everyone got logged out of their account and needs to log back in manually.

As of writing this the API is working again and can be used with apps like Jerboa safely.

I am still contemplating if I want to re-enable the web frontend now or wait for a release that fixes the issues found.

Edit: the main issue was fixed and I restarted the web ui with it.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 2 years ago (3 children)

What’s your stance on users proactively finding and reporting possible vulnerabilities in kbin? It’d be great to have a bug bounty like model where white hats could test the app and report their findings to devs? Without the bounty part of course - this is a community effort after all.

[–] [email protected] 0 points 2 years ago (2 children)

You will need to ask this on a kbin community 😜

This is the instance specific one for the slrpnk.net Lemmy instance.

[–] [email protected] 1 points 2 years ago (1 children)

For some reason kbin ui shows this thread belongs to kbin.social. Strange!

Anyway, thanks for the correction! :)