this post was submitted on 10 Jul 2023
486 points (100.0% liked)

Fediverse

17585 readers
129 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 4 years ago
MODERATORS
deadsuperhero@lemmy.ml
wakest@lemmy.ml
486
PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml
245 comments fedilink hide all child comments
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 80 points 1 year ago (25 children)

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

[–] tarjeezy@lemmy.ca 8 points 1 year ago (2 children)

Last I saw, they were on 0.18.1, unless a very recent update was installed. Do you happen to have a full list of domains they were redirecting to? Just want to be sure they were only going to "harmless" offensive sites, and not something worse.

[–] Max_P@lemmy.max-p.me 14 points 1 year ago

As for the version, my instance reports it as

0.18.1-2-ga6cc12afe

So it seems to be using some extra patches, but I can't find that commit on GitHub which indicates it might not be public, or cherry-picked locally.

So with this in mind, either it's just innocent performance patches, or someone potentially also introduced the markdown vulnerability.

Although it's also entirely possible I suck and wasn't able to reproduce it correctly/had wrong quoting or something. Hopefully the devs can shine some light in the details.

[–] Max_P@lemmy.max-p.me 14 points 1 year ago (1 children)

Only lemonparty (which then redirects to chaturbate) and the pedo image hosted in the pictrs of lemmy.world itself. I saw no evidence of anything else, as people said, it's a pretty oldschool type of hack to disturb not spread malware.

But I didn't dig that much further than that, and it's only a snapshot of what I gathered before it got fixed. I Ctrl+F "lemonparty" in view source and pasted the JSON in VScode and that's about it. Didn't dig much deeper if that was just a red herring.

[–] tarjeezy@lemmy.ca 11 points 1 year ago

Thanks for digging in and sharing your findings!

load more comments (22 replies)