Lemmy.world Incident and Memmy - Lemmy

## Note This information is based off of early reports I have seen. I don’t claim to know the extent to which any damage was done and as such recommend a password reset (two-factor authentication would not be of use if authentication tokens were compromised), but we do know that this was a Javascript injection. ========== With the recent Lemmy.world incident, I’d like to update you all. This vulnerability could not have affected you had you been using only Memmy while browsing. It was a Javascript injection, and as Memmy does not execute any Javascript, there is no attack surface here. The only case where this could have affected you would be if you had been signed in to your account inside of the in-app browser or the default browser and opened one of these posts. That however would not be something with Memmy itself, but rather the accessing of the PWA. Regardless, as we don’t actually know what happened, I’d recommend changing passwords. If any JWTs were compromised during this, regardless of 2FA status these tokens could be used to authenticate with your account. From what I have seen, this was an issue that was limited to Lemmy.world, as supposedly they were running a custom frontend build. Other than that, I don’t know anything else. Also, for the record, there is only one instance in this application where a webview is used, which is when viewing the terms of service which simply loads a local file from the app assets. Any questions, I’ll try to answer them but you’d be better off asking people more knowledgeable about the incident.