this post was submitted on 10 Jul 2023
173 points (98.9% liked)

Fediverse

17534 readers
27 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 4 years ago
MODERATORS
[email protected]
[email protected]
173
PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
160 comments fedilink hide all child comments
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 42 points 1 year ago (3 children)

GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.

If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

[–] [email protected] 5 points 1 year ago (2 children)

But won't custom emojis from remote instances still trigger the exploit?

[–] CMahaff 4 points 1 year ago

Apparently not per the post-hack report: https://lemmy.ml/post/1901079

[–] [email protected] -1 points 1 year ago

Apparently the custom emojis are rendered as static images when federated to outside instances so it's clean.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

I see a new lemmy-ui docker image has been pushed an hour ago, tagged 0.18.2-rc.1. Anyone know if it fixed the issue?

Edit: yep, it's fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not particularly familiar with XSS but I'm curious how a frontend exploit can compromise an instance?

Presumably the injected XSS stores the admin's JWT somewhere for the exploiter?

Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?

edit: for anyone curious there's a bit of a breakdown of how it works here: https://feddit.win/comment/244427

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)
  1. Inject exploit into a comment using custom emoji.
  2. Front-end parses the emoji incorrectly allowing JavaScript to be injected.
  3. JavaScript loads for everyone to views a page with the comment and sends their token and account type to the hackers domain.
  4. Hacker parses received tokens for admins and uses that to inject redirects into the front page of the Lemmy instance.

To answer your other questions:

  • IMO there probably should be better parsing to remove this stuff from the back-end, so I'm not sure the front-end solution is the complete solution, but it should get things largely under control.
  • Back-end is theoretically not compromised besides needing to purge all the rogue comments. Attacker presumably never had access to the server itself.
  • Probably needs to be a mass reset of ALL passwords since lots of people's tokens were sent during the attack, so their accounts could be compromised.