this post was submitted on 10 Jul 2023
174 points (97.8% liked)

Discussions related to Infosec.pub

1215 readers
1 users here now

founded 2 years ago
MODERATORS
jerry
174
PSA: Lemmy.world was compromised! (self.infosecpub)
submitted 2 years ago* (last edited 2 years ago) by henfredemars to c/infosecpub
18 comments fedilink hide all child comments
 

Discussion from here: https://lemmy.ml/post/1895271

Relevance: Infosec.pub may wish to consider defederation temporarily.

Temporary fix in place, but instances remain vulnerable. Post: https://lemmy.world/post/1290412

  • UPDATE 2:58 UTC the injected code was removed from the main page, but cleanup efforts are still underway.
  • UPDATE 3:11 UTC situation appears to be under control, but browse with caution.
  • UPDATE 3:35 UTC main page exploited again! Website is unsafe.
  • UPDATE 4:01 UTC reports coming in that other instances are getting owned. One report of comments trying to inject JavaScript into the page.
  • UPDATE 4:13 UTC XSS vulnerability in page sidebar is reported relationship to the event is unknown.
  • UPDATE 7:17 UTC Root cause was identified a while ago.
all 20 comments
sorted by: hot top controversial new old
[–] jerry 9 points 2 years ago

I’ve turned off federation and the ability to create new communities until a fix is released.

[–] SimplePhysics@sh.itjust.works 8 points 2 years ago (2 children)

Yep, redirects to very strange websites. I created this shitjustworks account because my main is on .world. This is very concerning.

[–] henfredemars 10 points 2 years ago (1 children)

As of 2:45 UTC it's still hacked, modified main page to redirect to offensive materials. Discussion claims that other admins are aware of the hack, but the website is still contaminated.

[–] PhoenixRising@kbin.social 2 points 2 years ago

Yup still hacked.

[–] can@sh.itjust.works 4 points 2 years ago (1 children)

Enjoy your stay! Maybe once world is back up and running you can use one of those tools to copy your subscriptions here as a backup.

[–] SimplePhysics@sh.itjust.works 5 points 2 years ago

Thanks for the warm welcome! I have a feeling I'm not going back to .world.

[–] solarzones@programming.dev 8 points 2 years ago* (last edited 2 years ago) (2 children)

I hope everything will be resolved quickly. Saw a post on kbin about it, and I was just about to login my .world account and see what’s up. ~ Waiting on updates…

[–] henfredemars 20 points 2 years ago

Tbf, I'm surprised this hasn't happened already. The software is not mature and is suddenly being exposed to a huge group of people. There are lots of eyes on it that weren't on the code before, and the big audience makes Lemmy a juicy target.

Other instances should be vigilant in case Lemmy could have an exploit until we know for sure what happened.

[–] faebudo 7 points 2 years ago* (last edited 2 years ago) (1 children)

According to one of the vuln posts a redirect and cookie stealing code was added as onload js (can even be seen in a screenshot).

Together with the JWT that are valid for a year and non revokable (https://github.com/LemmyNet/lemmy/issues/3364) that means if you logged in or browsed an affected instance while logged in to it the attacker got your account and the only way to get it back is not in your hands but in the instance admins (they have to delete all sessions from the DB).

[–] henfredemars 3 points 2 years ago* (last edited 2 years ago)

Correct. We don't know for sure what the initial injection was, but they did manage to inject and all the accounts will need their sessions purged maybe force password reset as well.

EDIT: No longer correct -- the injection appears to have been through custom emojis in markdown, see github for details.

[–] mranderson17 4 points 2 years ago (1 children)

UPDATE 7:17 UTC Root cause was identified a while ago.

Does this mean federation is turned back on? I just tried to comment on a post on lemmy.ml and things appear to still not be syncing.

[–] darvocet 3 points 2 years ago

Yes my top 1hr feed is empty. We appear to not be syncing.

[–] AndrewZabar@beehaw.org 2 points 2 years ago (1 children)

It is working fine already.

[–] henfredemars 3 points 2 years ago

It appears the page has been exploited again.

[–] sour@kbin.social 1 points 2 years ago

[._.]

[–] N7x 1 points 2 years ago

Thank you for following up!