Wondering if fmhy was hacked like .world Asking this to know if I should change my password.

  • Brad Ganley@toad.work
    link
    fedilink
    arrow-up
    13
    ·
    edit-2
    1 year ago

    I don’t believe FMHY was affected. For me, the timeline went:

    1. I found out about the hack pretty much immediately when it happened
    2. I immediately hopped into the Lemmy dev matrix channels to get an idea of what was going on
    3. I crossposted the news of the hack in !technology@lemmy.fmhy.ml about 20 or 30 minutes after it happened
    4. In the dev channels, right around when I made the post, a couple of users were able to pin down the exact vulnerability and which server the user that perpetrated it originated from. A user (that I won’t name) sent test instructions (that were quickly deleted and I will not share on the off chance that there are servers that don’t know about the vuln and haven’t patched or mitigated) that verified the vulnerability.
    5. A pull request for the fix was submitted to github (and, from a cursory look at the PR, it closes the hole that was used for the hack solidly) while, simultaneously, a couple of other devs stated that 0.18.1 is not affected by the vulnerability (which I have not taken the time to verify since they’ve already PRed a patch)

    For those reasons, I don’t think FMHY was ever at risk because of how quickly it was updated to 0.18.1 coupled with the fact that I don’t think custom emojis are a thing on here. It’s very possible that I am wrong about that because I’m an idiot but I don’t believe there’s anything to worry about.