lemmy.world is a victim of an XSS attack right now and the hacker simply
injected a JavaScript redirection into the sidebar. It appears the Lemmy backend
does not escape HTML in the main sidebar. Not sure if this is also true for
community sidebars.
[https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png]
Some points from the admin of ttrpg.network in our Discord chat:
This thread explains the very serious risk of Lemmy’s current 2FA implementation.
Yeah, 2fa didn’t work for me when I tried to set it up. Was just lucky I was logged in on more than one browser, so I could go and disable it.
yes, the initial setup is not intuitive at all. Once setup it functions normally.
Thanks. I’m going to wait for your guide. What do you advise we do with bot accounts?
I’ve thrown this together.
Thanks. This worked. I got a little confused with points 3, 4 and 5 but now that I’ve re-read your instructions I see that they are clear and I have no suggestions for improving them at this time.
Hey, so i followed the guide. I think i hit all the steps, but when i try to log in on the browser to test whether its worked. The 2fa box does come up. But when i enter the code and hit login theres no progression on from that screen. Not sure where i’ve gone wrong? Using Aegis btw.
Hmm you may need to disable 2FA again. I’m not sure why it wouldn’t work, perhaps Aegis hasn’t imported it correctly?
Okay cool, it just worked. No idea what difference waiting overnight made though.
In the short term, use a 60 character password and never use that account interactively. ie only use it with your scripts/bot. And obviously keep the password securely stored.