cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • Banana@kbin.social
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 year ago

    In all seriousness, no one is talking about this, but this is the one disadvantage of open source software being developed by volunteers, we don’t know exactly how the admin accounts were hacked but the XSS stuff is really basic stuff, none of those fields were sanatised at all, and it makes me concerned what else has been missed, obviously the advantage of open source is in time this stuff can get fixed, but this is what happens when loads of people who aren’t experts contribute to a site.

    In comparison to sites where there is a fully hired developer team the quality of the code is significantly better. I really hope the passwords were hashed on these instances and the hackers didn’t get plain text passwords or anything really bad like this.

    One thing and credit to Ernest, as I’ve contributed there he does very thorough code reviews and his quality of code is very good, its why im confident kbin won’t be hacked.

    • Fal@yiffit.net
      link
      fedilink
      arrow-up
      20
      ·
      1 year ago

      I think you’ve never worked in software, or even used software, if you think paid close source apps don’t have issues like this. They can be worse because they’re written by interns and no one there actually cares, they just want their paycheck

      • Avid Amoeba@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        I concur that the security behind closed doors I’ve seen is often non-existent. The incentives are typically stacked against security.

      • Banana@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I work at the biggest software company in the world.
        Sure there is projects with security flaws, but at the company I work, there is zero tolerance to big security flaws in the code, we have many automated checks, as-well as manual checks.

    • PupBiru@kbin.social
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      yes and no: there are a couple of schools of thought!

      of course, code by a lot of people without proper review is… risky

      however, at least it’s able to be reviewed! and in time and with enough eyeballs, hopefully that code will become far more robust. that’s the benefit of transparency: anyone can review any line at any time!

      remember: closed-source code as plenty of vulnerabilities too! just if we can’t review it, it’s much harder to work out what they might be… often, closed source vulnerabilities can exist for years without the vendor ever patching them because nobody is calling them out on it… hell, they can even know that their software is actively being exploited and just… not tell anyone

    • jcg@halubilo.social
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      The two main Devs of Lemmy do this full time. They’re not hired in a traditional sense, but the project is funded enough for them both to work on it as their full time job. Now, this isn’t a problem with open source, I’m a professional software Dev and you would not BELIEVE how many enterprise, proprietary systems are still doing things like building SQL statements by directly concatening strings that come from user input (especially in enterprise software cause, well, who’s gonna fuck around with it?). No, this is a problem of having this many eyeballs on you. The tiny little places they slipped up and didn’t properly sanitize a user input string was found and exploited. Most proprietary systems do NOT reach this level of user count, and in particular Lemmy attracts a certain more tech-savvy demographic that would’ve found this sooner or later, malicious or not. Remember, this vulnerability was not just found, somebody was looking for it.