this post was submitted on 10 Jul 2023
166 points (100.0% liked)

Beehaw Support

2797 readers
2 users here now

Support and meta community for Beehaw. Ask your questions about the community, technical issues, and other such things here.

A brief FAQ for lurkers and new users can be found here.

Our September 2024 financial update is here.

For a refresher on our philosophy, see also What is Beehaw?, The spirit of the rules, and Beehaw is a Community


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.


if you can see this, it's up  

founded 2 years ago
MODERATORS
 

I would be cautious about viewing any Lemmy.world communities right now, and the Beehaw admins should make sure their credentials are locked down in case they get targeted next.

top 44 comments
sorted by: hot top controversial new old
[–] [email protected] 33 points 1 year ago (3 children)

You are already defederated from them...

[–] [email protected] 27 points 1 year ago (4 children)

Just because Beehaw is defederated from this instance, that does not mean that visiting a recently compromised server will not cause your credentials to be compromised.

[–] [email protected] 12 points 1 year ago (2 children)

Read the post again. It was specifically mentioning viewing lemmy.world communities, which is not possible through beehaw.org due to defederation. All you would see is the content before defederation.

[–] [email protected] 9 points 1 year ago

Not possible with a beehaw account. But we know many of us may have accounts elsewhere.

[–] [email protected] 2 points 1 year ago

I don't have to read the post again, nobody should be accessing hacked servers and expecting their credentials to be safe.

[–] [email protected] 9 points 1 year ago

It's also possible that Beehaw's instance is vulnerable to the same XSS attack.

[–] [email protected] 7 points 1 year ago (1 children)

No user data like credentials gets transfered. Everything between instances is done with bot like helpers that do the data transfers.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

That's the problem, they don't. If you have them stored anywhere on the device you view the communities with, your credentials are not safe.

Edit: this was for someone else.

Anything can be transferred without your knowledge. Do not access hacked servers while expecting privacy.

[–] [email protected] 2 points 1 year ago

That would require your device to get hacked, not just the server.

As for privacy... there is really little of that on Lemmy or the fediverse as a whole.

[–] [email protected] 3 points 1 year ago (1 children)

Why would a "foreign" instance need to know my credentials from my local instance just to allow me to browse that foreign instance?

[–] [email protected] 1 points 1 year ago

That's the problem, they don't. If you have them stored anywhere on the device you view the communities with, your credentials are not safe.

[–] [email protected] 20 points 1 year ago

Ah, didn't realize they were already defederated. Still, admins should be on the lookout for an attack on Beehaw.

[–] [email protected] 10 points 1 year ago (1 children)

But I'm not. I'm federated with both Beehaw and lemmy.world.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

The post was posted in [email protected] by beehaw.org user.

[–] [email protected] 10 points 1 year ago (1 children)

People have multiple accounts - maybe even specifically to view .world, or on .world, and this PSA is what made them think twice before switching to it. I mean, you’re here reading and commenting on this post, and you’re not a beehaw.org user. But you could also have a beehaw account if you wanted. If you did, maybe you’d have been on it browsing local when you saw this.

Not sure why this post is a problem. It’s a good PSA.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

It's not a bad post. It's a multi-part post and I only responted to part of it. And it was informative too https://beehaw.org/comment/628677

[–] [email protected] 9 points 1 year ago (1 children)

If done via hacked admin credentials, this is a great advertisement for enabling 2FA anywhere it's supported. AIUI Lemmy is also getting support for this for user accounts soon (https://github.com/LemmyNet/lemmy/issues/2363)

[–] [email protected] 3 points 1 year ago (1 children)

Oh wait, so 2FA doesn't fully work yet? I guess that explains why I've been having such a hard time trying to get it set up.

[–] [email protected] 5 points 1 year ago

It works, but it's half-assed. The way Lemmy sets it up only works on a portion of authenticators, and ones like Authy isn't one of them. Then it also doesn't have a confirmation before enabling it, so you may think it's working but then get locked out of your account when you can't log in next time around.

The best way to test it is to enable 2FA and set up the code, but keep your Lemmy settings open. Then open an incognito window and see if you can log in using the 2FA code. If you can't, go back to the settings window and disable 2FA.

[–] [email protected] 8 points 1 year ago

https://lemmy.blahaj.zone/ hacked too, so two Lemmy instances.

[–] [email protected] 8 points 1 year ago

Welcome back to Beehaw!

[–] [email protected] 7 points 1 year ago (4 children)

this is fucking hilarious, this is going to be a blow to confidence in the security of the fediverse
i wonder if the websites that covered the reddit protest will cover this

[–] [email protected] 24 points 1 year ago* (last edited 1 year ago) (1 children)

Surely it's not really any different to any other website's admin having their account hacked/their password socially engineered? It's not an inherent flaw in the fediverse as a whole, just a human issue.

EDIT: see @Zephyrix's comment below. It was a security flaw.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

This was not a social engineering. It was a JavaScript injection that stole browser cookies, bypassing password changes and 2FA.

However, it seems lemmy.world was running a custom version of the UI. So it's possible that it only affected their instance. Hard to say at this point.

[–] [email protected] 2 points 1 year ago

Oh, well in that case it's a little more concerning. But I don't expect it to be a long-term issue. It certainly isn't a serious blow to my confidence in the security of the fediverse, that's for sure! It being a somewhat minor breach may be a blessing, also; it means there'll almost certainly be more of a focus on security going forward before something more serious happens.

[–] [email protected] 11 points 1 year ago

Arguably it is a strength. Unless a user has used the same username and password for different instances, their credentials on one instance are shielded from exploit over the whole network. The potential risk can only really be determined by how security was breeched. If it was social engineering, then there isn't any other direct concern. If it was a vulnerability in software, then the same attack could be played out on other instances, but that's not any different than other systems like a Linux kennel exploit.

[–] [email protected] 10 points 1 year ago

Run alpha software, experience alpha security flaws. It's not going to really say anything about the Fediverse at large, but it's more a tale of caution for the Threadiverse specifically, which is FAR younger, but has grown explosively, especially given that Lemmy is early beta status and KBin is alpha status

[–] [email protected] 3 points 1 year ago

it would be a lesson for all instances, not just world. i hope they provide more details so others can take note

[–] [email protected] 7 points 1 year ago (1 children)

They changed root folder / frontpage, if you access lemmy.world from web browser you'll be redirected somewhere

However, you still can access lemmy.world through applications

[–] [email protected] 1 points 1 year ago

This is what I was wondering. It sounds like their frontpage is defaced but the underlying server is untouched. So if you login via an app you should still reach the server as normal?

[–] [email protected] 5 points 1 year ago (2 children)

There IS one major problem. Many accounts only have optional email attached for .world, mine included. I think that means compromised credentials are a massive problem.

[–] [email protected] 3 points 1 year ago (1 children)

I'm going to shill for https://simplelogin.io here. Any other aliasing service will do, too. SL is just the one that I use. Email aliases are game changing.

[–] [email protected] 3 points 1 year ago

Isn't that a subscription service thing though?

[–] [email protected] 1 points 1 year ago (1 children)

If you don't use a unique password which that's on you

[–] [email protected] 4 points 1 year ago

I do use a unique password. I just use it for every account.

[–] [email protected] 3 points 1 year ago

Working fine right now.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for the heads-up. Password changed.

[–] [email protected] 3 points 1 year ago

Not sure exactly how they were hacked, but if the server is still compromised then changing your password now doesn't do any good.

[–] [email protected] 3 points 1 year ago (3 children)

I have an account on lw. Might be time to abandon it or delete it.

[–] [email protected] 2 points 1 year ago (1 children)

Just hoping this isn't some 0-day attack vector that will eventually be used against Beehaw.

[–] [email protected] 1 points 1 year ago

One of the admin account was compromised.

[–] [email protected] 2 points 1 year ago

Logging out and then logging in should be enough for now.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

How do you delete your account if it's hacked? I went on moments before I saw this and got a 404 error (I think) and then came here and saw this. I am not comfortable going back.

[–] [email protected] 1 points 1 year ago

Looks fine to me...

load more comments
view more: next ›