• 0 Posts
  • 24 Comments
Joined 1 year ago
cake
Cake day: July 8th, 2023

help-circle


  • CMahaff@lemmy.mltoAsklemmy@lemmy.mlmultiple accounts
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Could be some kind of new bug, but I’ve also seen this happen when an instance is under heavy load or otherwise glitching out - it’s starts sending back invalid items on the API and LASIM chokes on them.

    For what it’s worth I made an account on reddthat.com and was able to download and upload to it fine.

    Maybe try again? Or is this some other instance? (I’m making assumptions based on your account)


  • CMahaff@lemmy.mltoAsklemmy@lemmy.mlmultiple accounts
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Yep, if you are on Windows just extract that .exe somewhere and then run it.

    The README is displayed underneath the screenshots on the link to LASIM above. It tells you how to run it. See “How it Works”.

    https://github.com/CMahaff/lasim#how-it-works

    The latest version supports any Lemmy 0.18.3 instance. You can see which version a Lemmy instance is at the bottom of site. For example, your instance, reddthat.com, is 0.18.3. Most instances should have upgraded to 0.18.3 already - choose one of those. Any instance running 0.18.3 should work, big or small.

    The account you “download” with won’t be touched at all. The account you “upload to” will receive all the subscriptions and blocks of the downloaded account.


  • CMahaff@lemmy.mltoAsklemmy@lemmy.mlmultiple accounts
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Thanks for spreading the word about LASIM!

    Just letting you know that today I finished an update that adds upload options, including an option you can turn on to “sync removals”, which kindof achieves this.

    It may not be the right tool for every scenario though - turning it on basically means that whatever account you upload too will end up identical to the one you downloaded by following/unfollowing and blocking/unblocking as needed. But if you’ve got new follows, blocks, etc. spread across several accounts you wouldn’t want to turn it on or you’d lose all the changes on the accounts except for whichever one you downloaded.

    The option works better in scenarios where you’re mostly using a Main account, and just trying to keep the Alt accounts in sync with whatever the Main account does.









  • LASIM author here, ironically on my own alt: Just an FYI that support for Lemmy 0.18.3 is not yet out, but keep an eye out for it soon (I have it working on a branch but I need to test it more before release).

    This is the first breaking API change since it’s creation, so here are the limitations:

    • Old version (0.1.2) will only support API 0.18.1 and 0.18.2
    • New version (0.2.0) will only support 0.18.3 (and above until there are more breaking API changes)
    • Profiles downloaded with 0.1.2 (and below) will automatically be converted to work with 0.2.0.

    So that all means:

    • You can use the old LASIM to migrate between 0.18.2 Lemmy instances
    • You can use the new LASIM to migrate between 0.18.3 Lemmy instances
    • You can use the old LASIM to download from an 0.18.2 instance then use the new LASIM to upload to a 0.18.3 instance
    • You cannot use the new LASIN to download from a 0.18.3 instance and then the old LASIM to upload to a 0.18.2 instance (unless you are comfortable doing some manual work editing the JSON file so “old LASIM” understands it).

    This will be true of every release with breaking API changes.

    EDIT: PR is out. Once it builds, I’ll publish a new release! https://github.com/CMahaff/lasim/pull/21

    EDIT 2: Release is published! https://github.com/CMahaff/lasim/releases/tag/v0.2.0


    1. Inject exploit into a comment using custom emoji.
    2. Front-end parses the emoji incorrectly allowing JavaScript to be injected.
    3. JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
    4. Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.

    To answer your other questions:

    • IMO there probably should be better parsing to remove this stuff from the back-end, so I’m not sure the front-end solution is the complete solution, but it should get things largely under control.
    • Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
    • Probably needs to be a mass reset of ALL passwords since lots of people’s tokens were sent during the attack, so their accounts could be compromised.