lemmy.world is a victim of an XSS attack right now and the hacker simply
injected a JavaScript redirection into the sidebar. It appears the Lemmy backend
does not escape HTML in the main sidebar. Not sure if this is also true for
community sidebars.
[https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png]
I encourage everyone, but especially mods to enable 2FA on their account. I’ll do up a post tonight with screenshots on exactly how to do this, I realise the lemmy process isn’t as smooth as it could be. Ideally it would present a QR code to scan with with your phone as most other sites do.
Some points from the admin of ttrpg.network in our Discord chat:
This thread explains the very serious risk of Lemmy’s current 2FA implementation.
Yeah, 2fa didn’t work for me when I tried to set it up. Was just lucky I was logged in on more than one browser, so I could go and disable it.
yes, the initial setup is not intuitive at all. Once setup it functions normally.
Thanks. I’m going to wait for your guide. What do you advise we do with bot accounts?
I’ve thrown this together.
Thanks. This worked. I got a little confused with points 3, 4 and 5 but now that I’ve re-read your instructions I see that they are clear and I have no suggestions for improving them at this time.
Hey, so i followed the guide. I think i hit all the steps, but when i try to log in on the browser to test whether its worked. The 2fa box does come up. But when i enter the code and hit login theres no progression on from that screen. Not sure where i’ve gone wrong? Using Aegis btw.
Hmm you may need to disable 2FA again. I’m not sure why it wouldn’t work, perhaps Aegis hasn’t imported it correctly?
Okay cool, it just worked. No idea what difference waiting overnight made though.
In the short term, use a 60 character password and never use that account interactively. ie only use it with your scripts/bot. And obviously keep the password securely stored.
Mine just won’t enable it at all. I have it set up on my other account, but this one when I hit save nothing happens.
That is one of the issues… if you tick the box to enable 2FA and hit save, you then need to hit F5/refresh for the ‘2FA Installation link’ to appear.
Actually making use of the 2FA installation link is also not intuitive… as I said I’ll try and post a sequence of screenshots tonight with a fresh test account to show the process.
That didn’t work, but I have solved it. I had to take the emoji out of my display name. No idea why that has any impact, but it did.
i’ll be damned if I’m removing my identity just to protect my account
I’ve been playing around and it’s only some emojis it has a problem with. Your bagels are safe.
Mine worked with emoji. You can continue to be you.
The 2FA system might just be prejudiced against birds. I tried putting it back in after it was set up and it won’t save my settings if the emoji is there. It’s very weird.
Can you move the bird to the back of your name and test?
It won’t let me put it anywhere in the field. A bagel or a smiley face are find, but I can’t do the bird, or a black cat. It might be something to do with the specific emoji - both the black bird and cat are a standard bird/cat paired with a black square which display as a single emoji on some systems.
thank you, and the 2FA set up was actually the easiest i’ve ever set up on iOS. a little too easy …
I tried doing this but have lost access to my aussie.zone account (same user name). I checked the 2FA box but I couldn’t see the extra setup steps (I think I refreshed the page), so I unchecked the box and saved. I then changed my pw. Now it seems to accept new pw but am getting incorrect 2FA token error. What do I do?
Oh bugger. Sorry, I’ll need to find out how to manually toggle 2FA on your account in the database. I won’t be able to do this until I get home this evening.
Thanks in advance
Try now… think I’ve disabled it on your aussie.zone account.
Thank you, that worked!
Excellent 🙂
You are one of the best admins I’ve met in my coupla decades of internet usage. I love ya work mate and if you ever want a hand from a fellow sysadmin hit me up.
aww thanks 😇