Skip Navigation

Suboptimal ways to respond to a public security incident

This issue is already quite widely publicized and quite frankly "we're handling it and removing this" is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.

It's not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you're hosting an instance. ๐Ÿ™

88 comments
  • It's strange that they would try to bury this information.

    The number 1 tool against future hacks like this is education.

  • This issue is already quite widely publicized and quite frankly โ€œweโ€™re handling it and removing thisโ€ is a much more harmful response than I would hope to see.

    Hi, mod of a community on the instance in question here. Why is this response harmful? What should we have done instead?

    • I feel like it's up for discussion here and you very well may stand by the response there, but IMO with how prevalent this issue is, a specific response of "we've disabled custom emoji" or "we're upgrading to 0.18.2-rc.1 today" would have been more constructive and reassuring to users. Removal of the question and lack of details gives me a lot less confidence that the issue and fix are understood and doesn't leave any room for that discussion.

      • Ahh, ok. That's helpful, thanks!

        This is going to seem silly in the context of such a severe exploit but one quirk about our instance is that we literally do not have a "general discussion" /c/. The biggest one is scoped to Star Trek and so a Lemmy exploit is obviously outside the scope of ... Star Trek. I would wager that's the main reason the mod removed the post, but I will admit that just pointing this out, I feel like the forum mod from the short story Wikihistory.

        I'm in contact with the admins who manage the hosting, they are coordinating an update 0.18.2-rc1 as we speak. Also, there's already been some discussion about setting up a general discussion /c/ on our instance and so I'll include instance security in the scope of that /c/.

        You mentioned elsewhere in this thread there is a Lemmy admins Matrix room. Is my instance big enough for my admins to be invited? If yes, who can I point them at to get in?

  • From what I found digging through some posts, this exploit only works if your instance uses custom emoji. Federated custom emoji are apparently harmless.

    • Yes, if you have no custom emoji on your instance, you should not be vulnerable. A valid workaround before the fix is also to just remove all custom emoji, from what I've also read.

  • I'm not sure what to think about that instance. I saw some weird stuff in the mod protocol recently, if I remember correctly... Like some drama going on, etc.

    • That's disheartening to hear. Can you share any more detail? If we've got a mod causing drama somewhere I can take it up with our admins.

      • Oh, it was just a couple days ago and I'm not 100% sure if it was that instance. I faintly remember something about a hated episode or entire series? I'm not sure. I'm not a trekkie. I just remember that it gave off powermod vibes to me and I saw that a couple times. Didn't spend any more attention to that, though, because I live by the standard live and let live. As long as nobody on my instance reports anything, I'm not going to act in most cases.

88 comments