m4jrt0mJul 10, 2023
Jerry πŸ¦™πŸ’πŸ¦™
Hi all. As a precautionary measure, I turned off infosec.pub until the fix for a serious vulnerability exploited on other instances is incorporated into a package I can deploy. There's no indication infosec.pub was hit, but I don't need that sort of headache this week. ❀️​
Jul 10, 2023 at 10:36amWeb
Show threadSeanJul 10, 2023

@jerry

You talkin' about the lemmy.world hack earlier?

Show threadJerry πŸ¦™πŸ’πŸ¦™Jul 10, 2023
@beefbaby182 yes
Show threadknown_as_bmfJul 10, 2023

@jerry do you know if this vulnerability is only in the front-end code ?

Not clear to me where this markdown parsing is happening.

Are you also vulnerable if you use a 3rd party client (Android App, wefwef...) ?

Show threadJerry πŸ¦™πŸ’πŸ¦™Jul 10, 2023
@known_as_bmf it appears to be in lemmy-ui. It's the server that is vulnerable, not the people connecting to it.
Show threadknown_as_bmfJul 10, 2023

@jerry from what I could gather and my limited knowledge on how lemmy works, it appears to be an XSS injection vulnerability (executed client side, gathering JWT tokens and whatnot).

In my experience, the way the client renders the "poisoned" data is crucial for the attack to function properly.

That's why I was wondering if some 3rd party clients might be immune to it πŸ€”

Show threadJerry πŸ¦™πŸ’πŸ¦™Jul 10, 2023
@known_as_bmf ah - got it. Yes, if the admins only interact with the instance via an app that doesn’t render the content or otherwise doesn’t permit access tokens from being stolen, it should be less severe - the issue of course is all the non-admin users who access without an app, and that few (maybe none?) of those apps present admin functionality, meaning admins will be using the web interface. That’s a common situation, btw. None of the other software like Mastodon has a capable client that exposes admin functionality
Show threadknown_as_bmfJul 10, 2023
@jerry Thank you for your insight πŸ˜€
Show threadudunadanJul 10, 2023
@jerry maybe it makes sense to put some kind of status notice saying that site isn't offline but is currently awaiting a fix? For people who are not subscribed to you on Mastodon but are visiting infosec pub.