The spam campaign attacking Writefreely instances is out of control. Can you contact the admins you know?
Yesterday I received this message from my friend @elettrona:
Are you the one running the “writefreely blogs” bot, aka
writefreely@poliverso.org? Because there are tons of English accounts full of links that post nonstop.
And indeed, that account republishing posts from some Italian instances had a staggering amount of spam.
This is due to a very serious vulnerability that hasn’t yet been patched by the developers, but which has (obviously) started to be exploited on a large scale.
I’ve notified all the Italian administrators of @writefreely instances, but I’m having some difficulty contacting the foreign ones.
These are the ones with the most users:
https://write.otter.homes/read
https://infosec.press/read
https://blog.liberta.vip/read
https://write.tedomum.net/read
https://val-vgms.gay/read
https://bolha.blog/read
But there are many others.
Is there anyone among you who can try this or at least spread the word?
Note: As I mentioned, the vulnerability has been known for a long time and is currently being exploited on a large scale.
@macfranc @fediverse @elettrona Thanks for the heads up. I’m cutting a new release with the patch now.
@writefreely Thank you so much for your input! ♥️
@macfranc @fediverse @elettrona Fix is out now! Getting other architectures built soon.
@writefreely @macfranc @fediverse Now waiting WriteFreely '17 into @yunohost catalog as well!
“Use WriteFreely instead of Plume,” they said.
“It’s in active development,” they said.
Then again, if this was to happen to Plume (and I wouldn’t be surprised if it was), it’d take the devs until the 2030s to fix it.
So it was fixed two weeks ago, but they haven’t released the fixed version, and their last release was… 11 months ago???
Holy shit this is so bad.
I’m gonna shut my own instance down RN and see for something elsePS: Fabio, who reported this technical solution to address the issue, is not only a former contributor to Wrirefreely but also the developer of this new platform.
If yours is a personal instance, you could replace WF with this new Madblog:
RN I blocked access to the signup location on nginx Should be ok for now, but I’ll take a look at madblog
Thanks for the tip





