125

Warning: lemmy.world just got hacked (beehaw.org)

submitted 1 year ago by darrsil@beehaw.org to c/support@beehaw.org

24 comments fedilink hide all child comments

I would be cautious about viewing any Lemmy.world communities right now, and the Beehaw admins should make sure their credentials are locked down in case they get targeted next.

top 21 comments

sorted by: hot top controversial new old

[-] BrikoX@lemmy.zip 24 points 1 year ago

You are already defederated from them...

[-] Dankenstein@beehaw.org 20 points 1 year ago

Just because Beehaw is defederated from this instance, that does not mean that visiting a recently compromised server will not cause your credentials to be compromised.

[-] BrikoX@lemmy.zip 8 points 1 year ago

Read the post again. It was specifically mentioning viewing lemmy.world communities, which is not possible through beehaw.org due to defederation. All you would see is the content before defederation.

[-] timkenhan@sopuli.xyz 2 points 1 year ago

Not possible with a beehaw account. But we know many of us may have accounts elsewhere.

[-] silentdon@beehaw.org 6 points 1 year ago

It's also possible that Beehaw's instance is vulnerable to the same XSS attack.

[-] TheOtherJake@beehaw.org 6 points 1 year ago

No user data like credentials gets transfered. Everything between instances is done with bot like helpers that do the data transfers.

[-] Dankenstein@beehaw.org 1 points 1 year ago* (last edited 1 year ago)

That's the problem, they don't. If you have them stored anywhere on the device you view the communities with, your credentials are not safe.

Edit: this was for someone else.

Anything can be transferred without your knowledge. Do not access hacked servers while expecting privacy.

[-] jarfil@beehaw.org 2 points 1 year ago

That would require your device to get hacked, not just the server.

As for privacy... there is really little of that on Lemmy or the fediverse as a whole.

[-] SatyrSack@lemmy.one 1 points 1 year ago

Why would a "foreign" instance need to know my credentials from my local instance just to allow me to browse that foreign instance?

[-] darrsil@beehaw.org 17 points 1 year ago

Ah, didn't realize they were already defederated. Still, admins should be on the lookout for an attack on Beehaw.

[-] dandroid@dandroid.app 6 points 1 year ago

But I'm not. I'm federated with both Beehaw and lemmy.world.

[-] BrikoX@lemmy.zip 3 points 1 year ago* (last edited 1 year ago)

The post was posted in !support@beehaw.org by beehaw.org user.

[-] Fester@lemm.ee 3 points 1 year ago

People have multiple accounts - maybe even specifically to view .world, or on .world, and this PSA is what made them think twice before switching to it. I mean, you’re here reading and commenting on this post, and you’re not a beehaw.org user. But you could also have a beehaw account if you wanted. If you did, maybe you’d have been on it browsing local when you saw this.

Not sure why this post is a problem. It’s a good PSA.

[-] BrikoX@lemmy.zip 1 points 1 year ago* (last edited 1 year ago)

It's not a bad post. It's a multi-part post and I only responted to part of it. And it was informative too https://beehaw.org/comment/628677

[-] throws_lemy@lemmy.nz 6 points 1 year ago

They changed root folder / frontpage, if you access lemmy.world from web browser you'll be redirected somewhere

However, you still can access lemmy.world through applications

[-] BitOneZero@beehaw.org 4 points 1 year ago

Welcome back to Beehaw!

[-] pwacata@beehaw.org 3 points 1 year ago

If done via hacked admin credentials, this is a great advertisement for enabling 2FA anywhere it's supported. AIUI Lemmy is also getting support for this for user accounts soon (https://github.com/LemmyNet/lemmy/issues/2363)