layla to hexbear • 1 年前

A XSS vulnerability was used to hijack accounts. The vulnerability has been patched and no user action is necessary.

121

A XSS vulnerability was used to hijack accounts. The vulnerability has been patched and no user action is necessary.

layla to hexbear • 1 年前

Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.

The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.

The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.

If you were using the site during the above time window, please double check your account settings to see if anything was changed.

Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).

Chat

FidelCastro [he/him]
·
1 年前

link

hexbear

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !hexbear@hexbear.net

Now that the old Hexbear fork has been officially abandoned, this community will be used as a space for meta-discussion on the site itself.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

1 user / day
4 users / week
235 users / month
1.07K users / 6 months
10.1K local subscribers
10.2K subscribers
215 Posts
4.62K Comments
Modlog