Notorious@lemm.eetoFediverse@lemmy.world•Lemmy just had its first major hack. What happens next:English
21·
1 year agoLemmy decided to go with SHA256 for TOTP seed. This is a very odd move since many 2FA apps don’t support SHA256. I actually had to write a quick python script to spit out my 2FA code since Bitwarden doesn’t support it. Hopefully either Lemmy will change to SHA-1 or Bitwarden will start to support SHA256 seeds.
Not sure that’s entirely true. Thankfully this attack vector required custom emojis, so it was limited to those specific Lemmy instances. Other attack vectors we may not be so lucky and it could spread through federation.