Hi everyone.
Lemmy had an XSS vulnerability and we were one of the instances attacked through this vulnerability. We had our homepage replaced by a youtube video.
The lemmy devs were quick to create a PR for this issue and we have patched our instance to fix it,
Also while I do not believe any login tokens were compromised, we have taken the additional measure of rotating our secret key, so everyone will have to login to the site again as your existing credentials will no longer be valid.
If login fails to work properly, you may have to clear your cookies for the site… it seems to get confused about whether you’re logged in or not.
Sorry that this happened, if you have any questions please contact @[email protected] or myself.
I just had issues logging in, so I’m gonna make a comment in case anyone else is having issues.
TL;DR: Clear your cookies.
I couldn’t log in from the main page, I would type everything correctly and it would give me a “logged in” popup in the corner, but I wouldn’t actually be logged in. For some reason though I ended up being able to log in from my profile page though, but I wouldn’t stay logged in unless I opened up my profile page and navigated from there. I was also able to log in from the main page while in a private window though, (incognito for chrome users) so I figured clearing my cookies would fix the issue. That’s what I ended up doing, and I was able to log in from the main page and this time I stayed logged in. Sorry for the ramble, but I just wanted to put down everything that happened since it’s clearly a bug with the site, and if someone were to fix this they’re gonna want as much details as can be provided.