A little off topic for most of us here on RBlind but still worth posting for our instances Admins/Mods if no one else.

My very basic account security advice for Lemmy Admins

Have separate accounts for the things you do on an instance:

  1. Only use Admin accounts for things requiring no less than an Admin to do.
  2. Only use Mod accounts for things requiring no less than a Mod to to.
  3. Use standard user accounts for everything else.

Be sure to log off of an account and close all apps and browser tabs and windows open when you used that account before trying to log in with a different account.

While there are a lot more things that can and should be done, using separate accounts is a good minimal place to start. It should help mitigate against UI exploits targeting admins account for compromise like we have seen with a few other instances recently.

Things can and probably will still go wrong but diligently using accounts of least privilege can helping reduce the risk of Admins getting caught up in some of the more simple traps.

  • Samuel ProulxMA
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    The issue with this is that Lemmy doesn’t allow accounts with duplicate emails. So If I want three accounts, I need three email addresses. As Lemmy doesn’t currently support push notifications, email is the only way to get notified about anything. Checking three different addresses is impractical.

    I agree that this is best practice, but until Lemmy allows admins to remove the uniqueness requirement for email addresses, or sets up a decent push notifications API, it’s not going to happen over most instances.

    Fortunately, we were in no danger around the recent issues. Not only did we not use the feature in question, we have cross-site scripting policies set up correctly so scripts from other domains won’t run.

    • ClassyHatter@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Does plus addresses help circumvent that? I think most email providers supports plus addressing (also known as sub-addressing). You can add plus sign and any string before the at sign. For example: youremail+lemmyaccount1@email.com. The string between plus and at signs can be anything, and all these addresses points to your normal inbox with the added benefit that you can filter them into different folders.

      PS. Lemmy version 0.18.2 was released today. It fixes the vulnerability and has some other improvements as well.

      • Samuel ProulxMA
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Yeah, I’ll be upgrading us when I get off work tonight.

  • ClassyHatter@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Also be wary when using apps and especially when enabling push notifications. Lemmy API currently lacks any kind of support for partial access to an account (unless this has changed recently). So, apps cannot, for example, get read only access to your account’s inbox. Apps can get either no access or full access. When you sign up for push notifications, an authentication token is stored to the push notification server which gives full access to your account to who ever happens to get their hand on that token. If there, for example, happens to be a security vulnerability on the push notification server, it might leak those tokens.

    If you have enabled push notifications on some Lemmy app, and want to invalidate the token, you can just change your password.

    Here’s a post by Memmy for Lemmy’s developer about push notifications: https://lemmy.ml/post/1534493