FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
Hmmm. Don’t know what the fall out of this will be. But a lot of lemmy is on that server. Unfortunately. Maybe we’ll learn a lesson in the value of decentralisation.
Ruud also runs mastodon.world, FYI.
mastodon.world seems okay, but whos to say where the silos are between that and lemmy.world.
This is why it makes sense for communities to not all pile into one instance, it gives one instance admin too much power and responsibility over everything.
was just some of the admin in the lemmy, i don’t think they share the same admins
I don’t think there will be too much fallout. Sites get hacked.
Removed by mod
Fuck spez
This is going to turn into some obligatory response.
“Thank you everyone for coming together to discuss the planned future for the news community.” Everyone: “Fuck spez.”
deleted by creator
It looks like they’re in the process. The compromised account was demoted from admin and I see posts are being removed. There will definitely need to be some sort of investigation into how this happened, though.
deleted by creator
deleted by creator
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
But won’t custom emojis from remote instances still trigger the exploit?
Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.
Apparently not per the post-hack report: https://lemmy.ml/post/1901079
I’m not particularly familiar with XSS but I’m curious how a frontend exploit can compromise an instance?
Presumably the injected XSS stores the admin’s JWT somewhere for the exploiter?
Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?
edit: for anyone curious there’s a bit of a breakdown of how it works here: https://feddit.win/comment/244427
- Inject exploit into a comment using custom emoji.
- Front-end parses the emoji incorrectly allowing JavaScript to be injected.
- JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
- Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.
To answer your other questions:
- IMO there probably should be better parsing to remove this stuff from the back-end, so I’m not sure the front-end solution is the complete solution, but it should get things largely under control.
- Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
- Probably needs to be a mass reset of ALL passwords since lots of people’s tokens were sent during the attack, so their accounts could be compromised.
I see a new lemmy-ui docker image has been pushed an hour ago, tagged
0.18.2-rc.1. Anyone know if it fixed the issue?Edit: yep, it’s fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1
F
Damn first vlemmy.net (my original instance) dies, and now one of the largest is hacked…
Yea, bad timing it seems, especially as lemmy just got on top of its scaling issues.
They seem to be unrelated. The vlemmy story is mysterious, unless something new came out, but either their home server died or they got scared of whatever bad/illegal stuff landed on their home server and just wiped it all and walked away. A bad story that shouldn’t happen, but, if true, a bad admin that we are probably better off without unless they do things somewhat better.
The lemmy.world story seems to be that an admin had their credentials hacked. Not good but also somewhat ordinary. Hopefully they just need some better security practices. There are questions around how much lemmy the software contributed to this hack and how much it can prevent a rogue admin from causing damage. I’d bet that there are improvements to be made but that in the end any admin of anything is a vulnerable point of attack. This may just be an individual’s bad luck or bad practices.
For me, it highlights the issues with having relatively centralised instances like lemmy.world. One admin gets hacked and a quarter of lemmy is under their control!
The real issue IMO is that recent events have pretty much proven that both big instances and small instances are problematic for different reasons.
Fair point.
Which small instances caused a problem?
vlemmy
Oh. Well that one just disappeared, which is something that will happen a lot.
I decided to check it and it tells me that ‘The site has been seized by Reddit for copyright infringement’.
Same, I think I’m staying up to watch the drama tonight lmao
The ADHD has found an excuse not to let the brain turn off
FACTS
I really hope they have backups in place.
I was once doing work at a company that provided tech support and security for local businesses. There were a couple big instances of the companies being hacked with ransomware etc. On every occasion, we of course ask, “when was your last backup done?” And without fail, every one of them always responded, “backup?”
Good ol’ FAFO
How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?
One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.
Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.
Thanks for the context
Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.
They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…
It’s buggy and missing some key checks to make sure it’s working when you set it up.
Real risk of locking yourself out of your account.
oh, really? maybe i’ll turn mine off then…Thanks for the heads up!
Mostly a risk on initial setup.
I’ve been waiting a bit for it to stabilize and just using huge random passwords
If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.
I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:
- Bitwarden
- KeePass
- 1password
And stay far the fuck away from LastPass
Oh I do. Used Bitwarden for many years.
I actually use keepass for totp codes too.
Too bad it doesn’t work with several 2FA apps and right now…
Also I believe this was achieved through cookie stealing, which 2FA would not have helped
They really need to improve their 2fa implementation
I wouldn’t assume reasons why or that it’s fixed until that consensus has been more widely reached.
More time will definitely be needed. I’m glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it’s still a situation to keep an eye on.
They are still acting on it, seems.
Yep, it’s definitely not over.
Not a whole lot - you might see some spam being federated from lemmy.world but I’d expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.
That’s probably good stress test to figure out how to handle that.
Thanks for the response very helpful.
Yikes, hope they can find and disclose whatever they used to compromise an admin account.
Technical details, is it the sidebar: https://lemmy.ml/post/1896249
It’s actually custom emoji code.
It was cleaned up on the home page, but now back to being defaced as of this comment time.
Another user on the site confirmed this:
Oh wow again? 10 min ago it was clean! The .world admins are having a productive day lol
Now I’m unable to open lemmy.world, even on liftoff. Mods must have taken it down.
Same here. Seems to be toast through the liftoff app but I haven’t visited the site since the news broke. Liftoff was working an hour ago when it first happened.
I literally just made a community over there 20 mins ago fml
No biggie. Choose another server and create it there, too. Largest communities will win in the long run.
