Hey folks! I have spent this morning helping lemmy.world mitigate the issue. I have also sent out mitigation instructions to other admins as well.
For the particular exploit that was used on lemmy.world:
- It does not spread through federation
- lemm.ee was not vulnerable in the first place
- As mentioned above, it has already been mitigated on lemmy.world
So there should not be any reason to defederate. I will continue monitoring and investigating, if further vulnerabilities pop up then I will adjust accordingly.
You rock! Sorry if this is a stupid question, but if both instances are running the same version of Lemmy, why would lemmy.world be affected but not lemm.ee?
Malicious custom emoji contained scripts that sent session cookies to the attackers.
Makes sense! Thank you.
Thank you for being a valuable resource for the lemmyverse as a whole!
this instance is really reliable. there is no shaking it! really glad to be here.