Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.
The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.
The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.
If you were using the site during the above time window, please double check your account settings to see if anything was changed.
Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).
Not only that, but the framework we use is infernojs. Imagine react, but it doesn't have hooks, has barely any documentation, and has virtually no compatible UI libraries or tooling. It's significantly more performant and has a smaller bundle size than react, but the negatives outweigh the positives.
In particular, there is no isomorphic framework for inferno like next for react, nuxt for vue, sveltkit for svelte, etc. To get around this, there's a filthy kludge where we take an object of isomorphic data and assign it to a property on
windowin a script tag. This is both error prone and insecure, but also required for the UI to work without needing to generate the whole page on the client side. If you wantb to see this for yourself, open your browser's devtools and look for a script tag towards the top.