If you are a lemmy.world user, log out and log back in to clear cookies!
Last night, lemmy.world was compromised via an XSS vulnerability with custom emoji. Using this vulnerability, attackers took control of an admin account. The site redirected to mp4 files when logged in, and porn sites when not logged in. The issue was resolved by lemmy.world admins soon after it started, but the attacker regained control of the compromised admin account around ten minutes after resolution, redirecting users to the same mp4 files and sites. Soon after that, the site became inaccessable. The issue is currently resolved, and lemmy dev team has been notified of this vulnerability. sh.itjust.works will not be affected, as we do not have any custom emojis. If you own an instance with custom emojis, it is advised to remove these emojis and clear your cookies.
The following is the original post:
PSA: DO NOT ATTEMPT TO ACCESS LEMMY.WORLD, THERE MIGHT BE MALWARE
Lemmy.world member here. I created this account after .world started redirecting me to porn sites and odd mp4 files. We might want to defederate to limit the potential impact. Also, SJW might be affected by the same vulnerabilities as .world, so maybe the admins here should look at that.
Edit: ~~Situation seems to have stabilized. Some site icons aren't loading, but otherwise everything seems stable.~~ Read Edit2
Edit2: ~~HOLY SHIT ITS BACK~~ Read Edit3
Edit3: ~~lemmy.world is now down as of 10:56 PM CST (USA)~~ Read Edit4
Edit4: lemmy.world is now up, but serving an error as of 11:03 CST (USA) See a screenshot of this error. I also got logged out, hopefully it doesn't mean they just wiped the databases lol.
Edit5: Edit4 still applies, but I can now access lemmy.world via Memmy on my phone. Wefwef (Voyager now) does not work, however. Timestamp: 11:34 PM CST (USA)
Edit6: lemmy.world restored. Compromised admin account said something in a weird post. I'm going to bed now, my brain is play-dough rn. Will update you guys tomorrow morning.
What impact?
As long as you dont go on lemmy.world, it's not going to redirect you to all the stupid websites.
And I doubt whatever they're posting (if they're posting anything) is getting upvoted, so you won't see it anywhere else.
And where are you getting "malware" from?
People are acting like it's some crazy hack, and not the 4chan rejects from exploding heads finally guessing an admins password a week after they got defederated. And after all that time chasing the mailman, they had no idea what to do when they guessed it
But this does highlight an issue with instances. I doubt the handful of admins know each other. Like, maybe an email, but for the most part if shit like this happens during "off hours" it might be a while before the top admin even knows there's an issue
There's an admin matrix chat
And how many people answer that on Sunday night?
What I'm getting at is a major website has at least a skeleton staff that can do something, even if that's just pulling the plug.
I don't even reply to most work texts after hours unless it's someone saying they have to use sick leave. I don't expect people hosting Lemmy as a hobby to be on call 24/7.
But I hope afterwards they're transparent about what happened and how they're going to stop it from happening again. If not, it's easy to hop instances
There's other admins working on it now. It's 5am where the owner is.
Instance name checks out