Hi Beeple!

Here’s a vague version of events :

  • 11PM EST: Lemmy.world got hacked

  • 12:20AM EST: Blahaj.zone got hacked

  • 12:25AM EST: I shut down the server

  • 12:30AM EST: I make announcements to tell people about this

  • 12:45AM EST: I have an idea of what the problem is but there is no fix

  • 2:20AM EST: I go to sleep

  • 8:50AM EST: The server is booted back up, steps are applied to mitigate issues (Rotating JWTs, Clearing DB of the source of vulnerability, deleting custom emoji), UI is updated with the fix, CSP and other security options are applied

  • 11:40AM EST: We start testing things to make sure are working And well, now here we are.

If you have issues logging in or using an app:

  1. Log out if you somehow are still logged in

  2. Clear all cache, site data, etc.

  3. Hard refresh Beehaw using CTRL+F5

  4. Log back in.

If you still have issues, write to us at [email protected]

To be clear : We have not been hacked as far as we know, we were completely unaffected. This was done preemptively.

Oh yeah, in case, you haven’t, this is a good opportunity and reminder to follow us on Mastodon as the communication line was still up despite Beehaw being down : https://hachyderm.io/@beehaw

  • Hirom@beehaw.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    The shutdown is a good call given the circumstances.

    An idea of less-radical preventive action is placing the instance in read-only mode, either as a Lemmy feature, or through reverse proxy settings (eg reply 503 for any POST/PUT/DELETE request). But that’d require some development and/or preparation.

    Doing that on the reserve proxy side would block any user-submitted content and more (logins, searches, …). This would hopefully be efficient at blocking many attack vectors, while still keeping the instance partially online, even if that’s a degraded mode.

    • Lionir [he/him]@beehaw.orgOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Note that if this were a Lemmy feature, if we had been infected, an admin could’ve gotten hacked and as a result, disabled that feature. I’m not really sure what can be done to make Beehaw foolproof. That said, the UI has since been hardened by CSP headers so this type of attack should no longer be possible.

    • interolivary@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Would read-only mode help with XSS exploits though, like this particular one? Since the “damage was already done” by the time anybody noticed, wouldn’t putting the site in read-only mode still have kept serving up the XSS payload? It’d stop “infected” people from making any state mutations on Lemmy, but eg. data exliftration would still happen