TheTechNerd789

Lemmy.world and another instance have been compromised

https://lemdro.id/post/42872

Lemmy.world and another instance have been compromised - Lemdro.id

cross-posted from: https://lemmy.ml/post/1895271 [https://lemmy.ml/post/1895271] > FYI!!! In case you start getting re-directed to porn sites. > > Maybe the admin got hacked? > > --------- > > edit: lemmy.blahaj.zone has also been hacked. beehaw.org [http://beehaw.org] is also down, possibly intentionally by their admins until the issue is fixed. > > Post discussing the point of vulnerability: https://lemmy.ml/post/1896249 [https://lemmy.ml/post/1896249]

Jul 10, 2023 at 5:20amWeb
Show threadAerJul 10, 2023

Some information I have posted to Lemmy.World:

I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

Users are posting images like the following:

imgur.com/a/RS4iAeI

And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

I have seen multiple posts by these people during the attack. It is most certainly related to JS.>>>

imgur.com

Discover the magic of the internet at Imgur, a community powered entertainment destination. Lift your spirits with funny jokes, trending memes, entertaining gifs, inspiring stories, viral videos, and so much more from users like KailDoku.

Imgur
Show threadHairypooperJul 10, 2023
Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.
Show threadDioJul 10, 2023
¯_(ツ)_/¯ Lemmy.
Show threadlowleveldataJul 10, 2023
You are free to open a PR
Show threadwaltuhJul 10, 2023
Not really helpful though is it? It’s like going to a friend’s house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say “feel free get a hammer out”.
Show threadlowleveldataJul 10, 2023
It’s more like when everyone is looking at the previously unknown hole and discussing how to patch it up and you start yelling how it is unacceptable as your friend’s house is a “bar alternative”
Show threadmadcaesarJul 10, 2023
Honestly I think you’re all right. This is such a basic vulnerability it should never existed… AND I told you so’s and bitching don’t help.
Show threadjherazobJul 10, 2023
Little Bobby Tables strikes again
Show threadr00tyJul 10, 2023
Please feel free to perform a full security audit.
Show threadPupBiruJul 10, 2023

the threadiverse wasn’t exactly popular until the reddit exodus

id probably flip it: are lemmy users smoking crack? if you’re going to run to a reddit alternative, it’d be wise not to choose alpha software!

Show threadHobbitFoot Jul 10, 2023
People have said the platform is years old, but it didn’t really get tested until June. I wouldn’t be surprised if more issues like this are found.
Show threaddb2Jul 10, 2023
Script kiddies. insert eyeroll emoji here
Show threadTywèle [she|her]Jul 10, 2023
Here take this: 🙄
Show threadmutantJul 10, 2023
I think it's hilarious that Reddit protesters were redirected to NSFW content, karma is coming around lmfao
Show threadXiELEdJul 10, 2023
What karma? Spez started it by being a liar 🤷‍♂️
Show threadthayerJul 10, 2023
Dude’s got 44 comments and every single one is a complaint about the reddit protest or protestors. Might just be spez himself lol
Show threadDioJul 10, 2023
I can sense tears and hurt through your, "lmfao"
Show threadZILtoid1991Jul 10, 2023
Are you the hacker, who did this?💀
Show threadNotAFuckingBotJul 10, 2023
When I wanted to do some lemmying earlier, the LemmyWorld logo said ‘Israel’, and when I put my cursor over it, it said 'N**a Style. Then when I clicked the logo (stupid me, no doubt), it redirected me to a pic of some dude with a cigar, with the caption (iirc) "I rpe kids in the woods". I did a virus scan which came up clear. Dunno what else to do when shit like that happens.
Show threadtalJul 10, 2023

I have not seen any notice as to how either usera or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that...

From an end-user standpoint, I would guess -- I have not looked at the code and have not been working on the security hole -- the following:

  • This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.

  • Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.

  • I don't know what the full impact is for a regular user account, but it's probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for regiatration wirh a username.

  • Viewing content while not logged in is probably safe. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue ia reaolved and lemmy servers update.

  • I don't know if kbin is vulnerable. It didn't accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it's possible that it trusts URLs coming from federated servers, which I did not check.

Show threadgeneJul 10, 2023
https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766
Possible XSS attack · Issue #1895 · LemmyNet/lemmy-ui

Requirements This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead. Please check to see if this issue already exists. It's a single bug. Do not report multiple b...

GitHub
Show threadsgtlighttreeJul 10, 2023
I don't see any weird content, but I couldn't log in. There's a notification at the bottom that says "logged in" but I'm still blinded by light mode.
Show threadElectronSoupJul 10, 2023
beehaw isn't down, just very slow, which is it's normal state of being if we're being honest
Show threadjherazobJul 10, 2023
It IS intentionally down, post by the admins
Beehaw (@[email protected])

Hi Beeple! I (Lionir) have shut down the server until further notice. There seems to be a big vulnerability in Lemmy at the moment that is propagating at an alarming rate. I'd rather be safe than sorry. Hope this doesn't last too long.

Hachyderm.io
Show threadImaginaryFoxJul 10, 2023
Seems like a good cautious move on their part.
Show threadalaxitooJul 10, 2023
Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦‍♂️
Show threadNepentheJul 10, 2023
Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don't think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.
Show threadalaxitooJul 10, 2023
His username at the time was LMAO I think so… he did it again on another Lemmy instance but used a different username that time as well 😂
Show threadbdonvrJul 10, 2023
Time to move from banning to contacting authorities then… spam is one thing. This is criminal.
Show threadBananaJul 10, 2023

In all seriousness, no one is talking about this, but this is the one disadvantage of open source software being developed by volunteers, we don't know exactly how the admin accounts were hacked but the XSS stuff is really basic stuff, none of those fields were sanatised at all, and it makes me concerned what else has been missed, obviously the advantage of open source is in time this stuff can get fixed, but this is what happens when loads of people who aren't experts contribute to a site.

In comparison to sites where there is a fully hired developer team the quality of the code is significantly better. I really hope the passwords were hashed on these instances and the hackers didn't get plain text passwords or anything really bad like this.

Show threadFalJul 10, 2023
I think you’ve never worked in software, or even used software, if you think paid close source apps don’t have issues like this. They can be worse because they’re written by interns and no one there actually cares, they just want their paycheck
Show threadAvid AmoebaJul 10, 2023
I concur. The security behind closed doors is often non-existent. The incentives are typically stacked against security.
Show threadBananaJul 10, 2023
I work at the biggest software company in the world.
Sure there is projects with security flaws, but at the company I work, there is zero tolerance to big security flaws in the code, we have many automated checks, as-well as manual checks.
Show threadPupBiruJul 10, 2023

yes and no: there are a couple of schools of thought!

of course, code by a lot of people without proper review is… risky

however, at least it’s able to be reviewed! and in time and with enough eyeballs, hopefully that code will become far more robust. that’s the benefit of transparency: anyone can review any line at any time!

remember: closed-source code as plenty of vulnerabilities too! just if we can’t review it, it’s much harder to work out what they might be… often, closed source vulnerabilities can exist for years without the vendor ever patching them because nobody is calling them out on it… hell, they can even know that their software is actively being exploited and just… not tell anyone

Show threaddarrsilJul 10, 2023

Did this result in Lemmy.world being defederated from Lemdro.id?

Lemmy.world is back up and the hack is over, but when I view [email protected] using my lemmy.world account I can’t see anything.

Show threadcoleJul 10, 2023
I have not de-federated other instances simply because lemdro.id is not vulnerable to this particular exploit
Show threadcoleJul 10, 2023
Hey everyone, this exploit was present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.
Show threadR00botJul 11, 2023
Is blahaj zone still down? Haven’t been able to log in recently.
Show threadT156Jul 11, 2023

If they changed their server token, which they would have done to reduce the chances of the hackers reusing the same account tokens, you need to refresh your browser cache/cookies.

On desktop, you can do this by hitting CTRL-SHIFT-R, and on mobile, you probably just have to sign out and sign back in again.

Show threadNeroreroJul 11, 2023
It’s up again. If you use an app, delete your cache and log in again