A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
Main instance hacked? Time to use an alt!
The first hack is a rite of passage for every site that gets big. It means we've been recognized!
Luckily, this seems to be a standard troll (with some tech knowledge) - they've defaced the site and put redirects to shock sites, rather than injecting actual malware or quietly collecting everyone's passwords. This could be much worse.
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.
If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
But won't custom emojis from remote instances still trigger the exploit?
I see a new lemmy-ui docker image has been pushed an hour ago, tagged 0.18.2-rc.1. Anyone know if it fixed the issue?
Edit: yep, it's fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1
I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.
It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.
lemmy.world appears to be running a git commit that is not public.
It does look like most instances will be vulnerable judging by the fix. It's not custom code; it's in lemmy-ui proper.
I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.
Yep, same. It was also the most likely scenario.
It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.
The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.
For those not aware, the beehaw server did intentionally shut their instance down to avoid any issues.
See announcement here: https://hachyderm.io/@beehaw/110687918465426082
lemmy.world was briefly back to normal and there had been a post saying that everything was fine now - it's not.
The site has just started doing the same thing again.
Please do not try using lemmy.world for the time being.
i just got logged out of my account from Jerboa and can't login anymore. my is completely wiped from my app now.
edit: okay seems the admins have taken down lemmy.world and thats probably why it happend in the app. but its weird that it just wipes the login and data of the instance in the app.. weird.
My self hosted instance has hiccups sometimes and Jerboa just doesn't handle it super well. You can swipe away the app and reopen once the server is back and it should come right back up.
Jerboa tries to log in with session info passed to the server, if the server doesn't respond properly then it just calls you Anonymous, because it can't acquire your username and info. That's probably what's happening.
Looks like this thread is getting mass downvoted by bots btw
Being a part of Lemmy in these early days has been kind of interesting, seeing all of the bugs and bits that will be ironed out over time. One day when Lemmy is as old as Reddit it will all be folklore. Maybe.
This'll definitely be remembered. It's good for us, we needed the wakeup call.
Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they're mainly just trying to make stuff offensive and redirect people to lemonparty.
So, y'know, old school.
I don't know if any data is actually in danger, but I doubt it. I don't see why assistant admins would need access to it.
All the bean memes are in danger! On a serious note, old-skool or not, it's a huge loss of trust in something the community-at-large is excited to see replace reddit.
Par for the course. This system will never be immune to things like that. That's part of what happens when you decentralize your power. Instead of a single target that can be made highly secure, you have a distributed array of targets.
People should certainly be engaging on here with full awareness of the reality of the Fediverse, not expecting reddit 2.0. We never will be able to offer exactly what they did. We'll be naturally worse in some areas and naturally better in others.
This is why I'm glad I made redundant accounts on multiple instances. When there are problems on lemmy.world, I can just hop on over to another. That's never been an option with Reddit.
Now if there was only a way to export or sync user settings like subscriptions, it would be perfect.
There's actually another thread on exactly this topic: https://lemmy.ml/post/1875767
On the other hand, look at where we are. This is proof that one hack can't take down Lemmy.
idk, im surprised it took this long. there's a huge variety of admin teams with varying degrees of security awareness and it's been over a month since the first big influx of users started. it'll happen again too and probably not before too long
In the 3 years Hexbear has been around it has been attacked A LOT because obviously far right chuds have an interest in messing with leftists but has not to my knowledge had an admin breach. At one point image embeds were completely disabled because they were handing over data they shouldn't though and risked exposing people to doxxing.
My concern is that configuring the site to automatically redirect users sounds like they have pretty large control over the site - the kind of control that I would assume is usually limited to users with root access on the server.
Obviously hope nothing of value is lost and that there is a proper off-site backup of the content.
Edit: See Max-P's comment, it looks like the site redirection was accomplished in a way that IMO suggests they do NOT have full control over the site. We'll obviously have to wait for the full debrief from the admins.
lemmy.blahaj.zone got hacked too, looks like the same people
They also changed the allowed/blocked instances to allow threads.net and defederate lemmy.ml, just like they did on lemmy.world: https://lemmy.blahaj.zone/instances
Huh... so this probably is more sophisticated than a single acct breach then. Lovely.
Yeah, I'd recommend any server admin that doesn't have 2FA turn it on ASAP until we know what their exploiting
Looks like the accounts were compromised by stealing their cookie - something 2FA can't stop.
Still should have it on, though.
we did it Reddit! /s
I saw this and laughed. Yes, that's definitely how copyright works.
Don't know if this will be relevant at all, but I'm almost hoping this will force Lemmy devs to abandon the obscure markdown crate they use for pulldown-cmark.
Using an obscure markdown implementation just because it supports spoiler tags always sounded like a silly decision to me!
Hmmm. Don’t know what the fall out of this will be. But a lot of lemmy is on that server. Unfortunately. Maybe we’ll learn a lesson in the value of decentralisation.
Ruud also runs mastodon.world, FYI.
This is why it makes sense for communities to not all pile into one instance, it gives one instance admin too much power and responsibility over everything.
The "Hot" sort topic:
How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?
One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.
Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.
Not a whole lot - you might see some spam being federated from lemmy.world but I'd expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.
That's probably good stress test to figure out how to handle that.
Time to make an alt! Been thinking about switching instances anyway, so this is a nice test. Hope the situation gets resolved soon.