If you are a lemmy.world user, log out and log back in to clear cookies!

Last night, lemmy.world was compromised via an XSS vulnerability with custom emoji. Using this vulnerability, attackers took control of an admin account. The site redirected to mp4 files when logged in, and porn sites when not logged in. The issue was resolved by lemmy.world admins soon after it started, but the attacker regained control of the compromised admin account around ten minutes after resolution, redirecting users to the same mp4 files and sites. Soon after that, the site became inaccessable. The issue is currently resolved, and lemmy dev team has been notified of this vulnerability. sh.itjust.works will not be affected, as we do not have any custom emojis. If you own an instance with custom emojis, it is advised to remove these emojis and clear your cookies.

The following is the original post:

PSA: DO NOT ATTEMPT TO ACCESS LEMMY.WORLD, THERE MIGHT BE MALWARE

Lemmy.world member here. I created this account after .world started redirecting me to porn sites and odd mp4 files. We might want to defederate to limit the potential impact. Also, SJW might be affected by the same vulnerabilities as .world, so maybe the admins here should look at that.

Edit: Situation seems to have stabilized. Some site icons aren’t loading, but otherwise everything seems stable. Read Edit2

Edit2: HOLY SHIT ITS BACK Read Edit3

Edit3: lemmy.world is now down as of 10:56 PM CST (USA) Read Edit4

Edit4: lemmy.world is now up, but serving an error as of 11:03 CST (USA) See a screenshot of this error. I also got logged out, hopefully it doesn’t mean they just wiped the databases lol.

Edit5: Edit4 still applies, but I can now access lemmy.world via Memmy on my phone. Wefwef (Voyager now) does not work, however. Timestamp: 11:34 PM CST (USA)

Edit6: lemmy.world restored. Compromised admin account said something in a weird post. I’m going to bed now, my brain is play-dough rn. Will update you guys tomorrow morning.

  • TheDude
    shield
    MA
    link
    fedilink
    English
    arrow-up
    56
    ·
    1 year ago

    The vulnerability appeared to be from a custom emoji that they were running. SJW does not use any custom emoji so we should not be affected. In either case lemmy.world has now been restored and is back online. I’ll keep an extra eye on this instance until the patch gets released shortly.

    • darkstar
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Thanks for the update, we all appreciate it!

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Nice! Yeah, seems to be that lemmy.world logo emoji that stole your cookies. There were people compromised accounts posting them everywhere on .world.

    • merc
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Who would have thought an emoji could be a source of a vulnerability.

  • 🍹Early to RISA 🧉
    link
    fedilink
    English
    arrow-up
    67
    arrow-down
    1
    ·
    1 year ago

    Talk about feeling like the old internet. I was wondering how I would get tricked into seeing something gross by some shock-humor edgelord.

    Time to just grab a pint and wait this out. Lol

  • Givesomefucks@reddthat.com
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    3
    ·
    1 year ago

    What impact?

    As long as you dont go on lemmy.world, it’s not going to redirect you to all the stupid websites.

    And I doubt whatever they’re posting (if they’re posting anything) is getting upvoted, so you won’t see it anywhere else.

    And where are you getting “malware” from?

    People are acting like it’s some crazy hack, and not the 4chan rejects from exploding heads finally guessing an admins password a week after they got defederated. And after all that time chasing the mailman, they had no idea what to do when they guessed it

    But this does highlight an issue with instances. I doubt the handful of admins know each other. Like, maybe an email, but for the most part if shit like this happens during “off hours” it might be a while before the top admin even knows there’s an issue

    • Mic_Check_One_Two@reddthat.com
      link
      fedilink
      English
      arrow-up
      18
      ·
      1 year ago

      Seems like there’s an active cookie-scraping attack going on. Lots of compromised accounts are going around different instances posting links with drive-by JavaScript. The JS tries to grab your current login token, which would give hackers access to your current login session.

      They don’t need your password because they’re just grabbing that cookie that your browser gets when you check the “Keep me logged in” checkbox on login. That’s what allows you to verify your account across multiple sessions, and it allows them to do the exact same thing. They can simply send that authorized token, and “log in” as you. This would (likely) work across instances, because if they grab your cookie then it will give them access to whatever instance your account is logged in on.

      So Lemmy.world will likely need to be completely defederated (to stop any compromised accounts from posting on other instances) and your specific instance will likely need to deauthorize all current login tokens (which will forcibly log everyone on your instance out) to stop any local accounts that got hit.

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      13
      ·
      1 year ago

      Did you read my post? -I said there might be malware. -I said not to visit lemmy.world -The entire site may be fucking compromised. If you have control the servers, you can change database values to make your post any amount of upvotes you want.

          • hemmes@lemmy.one
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            Out of nowhere the instance went down. I believe it was late Saturday morning or so? It was my main instance and nobody has heard from the admin. He was always very enthusiastic and transparent, actively looking for more admins.

            A day or so before it went down, he made a post about having to defederate with another instance due to current violation laws in his server’s country of origin. VLemmy is known for not banning many (if any) instances in favor of moderation, so they take defederation very seriously.

            It looks like he got caught up with some bad content and had to shutdown. Not sure how long but all his tip and donation links have been closed including I believe his GitHub.

    • steakmeoutt
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      That’s exactly what happened. And anyone complaining about vote rigging is probably from exploding-heads too.

      • carbon_based
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Possible but on what evidence would one make such a claim?

    • wetnoodle
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      It’s taking out multiple instances, lemmy.blahaj.zone just went down too

    • can
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      There’s an admin matrix chat

      • Givesomefucks@reddthat.com
        link
        fedilink
        English
        arrow-up
        13
        ·
        1 year ago

        And how many people answer that on Sunday night?

        What I’m getting at is a major website has at least a skeleton staff that can do something, even if that’s just pulling the plug.

        I don’t even reply to most work texts after hours unless it’s someone saying they have to use sick leave. I don’t expect people hosting Lemmy as a hobby to be on call 24/7.

        But I hope afterwards they’re transparent about what happened and how they’re going to stop it from happening again. If not, it’s easy to hop instances

        • can
          link
          fedilink
          English
          arrow-up
          12
          ·
          edit-2
          1 year ago

          There’s other admins working on it now. It’s 5am where the owner is.

    • bestdude@kbin.social
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Could I get hacked or compromised or something just by lurking the website? I didn’t notice the Israel stuff until a bit late
      Password was randomly generated like 5f.4_0@3j&j so no common passwords

    • Arotrios@kbin.social
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      Confirmed - fucked on my end too. Looks like the 18.1 update had some sort of major vulnerability.

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      They seem to be down at the moment. I seriously hope SJW is not affected.

  • meldroc
    link
    fedilink
    English
    arrow-up
    29
    ·
    1 year ago

    Looks like the work of some junior edgelord.

  • BitingChaos@kbin.social
    link
    fedilink
    arrow-up
    25
    ·
    1 year ago

    Well, on the bright side of things, I’m able to find out about my main server going down from the dozens of other active instances.

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Damn. SJW and .world share the same lemmy source code. Could what is happening to .world happen to SJW? I’d take a dig into the lemmy code, but my brain is literal mush right now, its 11:16 PM here.

      • TWeaK@lemm.ee
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Potentially. Apparently it’s spreading through comments, not just the sidebar.

  • Ziggurat
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    What’s the impact for other instance users ?

    None ? lemmy.world was down during the night and is fixed this morning that’s it ?

    is there a risk that interaction with lemmy.world are leaked including potential “personal data” ?

    is there a risk that smarter hackers could use the breach to access the DB behind some lemmy instances without anybody noticing it ?

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Lemmy.world was defaced last night. As far as I know, there is no DB breach. An XSS vulnerability was abused to steal the cookies of an admin account.

  • ChronicEd@kbin.social
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    About 10:38 pm CST I had just opened it on my browser and it flashed a “Reddit has taken over this site for copyright infringement”. And the icon at the top was changed for Israel with the words about raping a child on it. Definitely something wonky going on, but I haven’t seen any redirects to anything off site. Definitely not going back from my computer (sounds like the app is safe, but only will check for an update).

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      Yeah, I get that too, minus the Reddit part. However, during the ten minute span where the attack was resolved (then restarted), a mod/admin account reported that it was caused by a compromised admin account, so not Reddit taking over the site via copyright law. They removed the account, but the issue seems to be back now.

      • ChronicEd@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Yeah! Considering being repeatedly attempted (and succeeding)…I’m guessing it may take a little while to deal with.

  • AndreTelevise@kbin.social
    link
    fedilink
    arrow-up
    9
    arrow-down
    3
    ·
    1 year ago

    And I have nowhere to go but Kbin because Beehaw is unstable and I don’t want to open up a fourth account. Accumulating fediverse accounts should be the last thing you do

    • CheshireSnake@iusearchlinux.fyi
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      There are times when it pays to not be updated of what’s going on. This is one of those times. Sorry your eyes had to be subjected to that torture. My first experience with those sites were similar years ago. At work. Lmao fml

  • Sami@lemmy.zip
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    I’m not seeing anything different with lemmy.world on my end. Can anyone else confirm what OP is seeing?

    Edit: Reading that it was resolved in another thread.

    Second edit: Nope, not resolved

    • SimplePhysicsOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      Visited it again, seems restored. I’ll update the post. See original post

      • Sami@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Yup I saw elsewhere that the compromised admin account was removed.

        • SimplePhysicsOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Edited again, site has been re- compromised. See original post

  • malloc
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Single 🔧 vs Federated ActivityPub instance, who wins

    😂😂

    Side note: glad the lemmy devs and mods able to figure it out and all while doing this part time. Great community yall. Hope to contribute my time as well.