FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
I literally just made a community over there 20 mins ago fml
No biggie. Choose another server and create it there, too. Largest communities will win in the long run.
It appears that the deface attack is back in full swing (racial slurs and all the redirects)
deleted by creator
It looks like they’re in the process. The compromised account was demoted from admin and I see posts are being removed. There will definitely need to be some sort of investigation into how this happened, though.
deleted by creator
deleted by creator
Time to make an alt! Been thinking about switching instances anyway, so this is a nice test. Hope the situation gets resolved soon.
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
I see a new lemmy-ui docker image has been pushed an hour ago, tagged
0.18.2-rc.1. Anyone know if it fixed the issue?Edit: yep, it’s fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1
I’m not particularly familiar with XSS but I’m curious how a frontend exploit can compromise an instance?
Presumably the injected XSS stores the admin’s JWT somewhere for the exploiter?
Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?
edit: for anyone curious there’s a bit of a breakdown of how it works here: https://feddit.win/comment/244427
- Inject exploit into a comment using custom emoji.
- Front-end parses the emoji incorrectly allowing JavaScript to be injected.
- JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
- Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.
To answer your other questions:
- IMO there probably should be better parsing to remove this stuff from the back-end, so I’m not sure the front-end solution is the complete solution, but it should get things largely under control.
- Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
- Probably needs to be a mass reset of ALL passwords since lots of people’s tokens were sent during the attack, so their accounts could be compromised.
But won’t custom emojis from remote instances still trigger the exploit?
Apparently not per the post-hack report: https://lemmy.ml/post/1901079
Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.
The “Hot” sort topic:
Yikes, hope they can find and disclose whatever they used to compromise an admin account.
lemmy.world was briefly back to normal and there had been a post saying that everything was fine now - it’s not.
The site has just started doing the same thing again.
Please do not try using lemmy.world for the time being.
the post saying everything was fine now was coming from the same account that was originally compromised
We’ve changed our name to Israel. - The Admins.
Lol so how do you expect to be notified then? You don’t think they can get their account back? They’ll get it back eventually.
They have multiple admins. The expectation would be for one of the non compromised admins to make the announcement. It’s a trusted channels thing
i just got logged out of my account from Jerboa and can’t login anymore. my is completely wiped from my app now.
edit: okay seems the admins have taken down lemmy.world and thats probably why it happend in the app. but its weird that it just wipes the login and data of the instance in the app… weird.
Jerboa tries to log in with session info passed to the server, if the server doesn’t respond properly then it just calls you Anonymous, because it can’t acquire your username and info. That’s probably what’s happening.
oh, okay. didn’t knew that. i expected that it saves the login information locally (encrypted) and then uses this to login… and if there is an error, that it just says “login error” or something… with the option to retry.
it’s weird that it looks like the whole login data just gets wiped. confused me a lot since it also said Anonymous as my user etc… really thought first my account got hacked after all that issues.
I’m not using your app, I’m still learning Connect but ran into similar sounding confusion. Maybe yours is acting the same way: Connect puts an option in the settings to switch which instance(.world/.ee/.ca) it’s running on, and each option will show its own list of users in the apps main sidebar. I switched and thought I lost all my login info, but it was there when I switched back. I maybe wouldn’t try switching to .world right now, but if that’s how your app works maybe it’s all still there waiting.
My self hosted instance has hiccups sometimes and Jerboa just doesn’t handle it super well. You can swipe away the app and reopen once the server is back and it should come right back up.
I’m seeing zero comments come out of Lemmy.world in the past 15 minutes, app users shouldn’t have been redirected… and users commenting from other servers should be going to communities homed there. I wonder if they shut off federation. I normally see over 10 comments a minute: https://lemmyadmin.bulletintree.com/query/comments_ap_id_host_prev?output=table&timeperiod=15
Hmm. They seem to have cleaned up a lot of things by now. If federation is an issue that might something the hacker did? Though pausing federation as a precaution makes sense.
Last post received in my instance from them was over an hour ago. I usually see one or two a minute. Comments stopped at the same time and those are usually about every 5 seconds.
lemmy.blahaj.zone got hacked too, looks like the same people
blahaj admins are aware and have the site down with a splash screen now
Links to this video: https://www.youtube.com/watch?v=Z1K4BUtHsO4
Yup they must of just put that up after I posted and @ the admins
They also changed the allowed/blocked instances to allow threads.net and defederate lemmy.ml, just like they did on lemmy.world: https://lemmy.blahaj.zone/instances
Huh… so this probably is more sophisticated than a single acct breach then. Lovely.
Yeah, I’d recommend any server admin that doesn’t have 2FA turn it on ASAP until we know what their exploiting
Looks like the accounts were compromised by stealing their cookie - something 2FA can’t stop.
Still should have it on, though.
Don’t know if this will be relevant at all, but I’m almost hoping this will force Lemmy devs to abandon the obscure markdown crate they use for pulldown-cmark.
Using an obscure markdown implementation just because it supports spoiler tags always sounded like a silly decision to me!
Just clicked into Lenny.world and saw “site has been seized by Reddit for copyright infringement “
The admins now appears to have taken down the backend in an effort to stop the defacing.
