this post was submitted on 10 Jul 2023
3318 points (99.9% liked)

Lemmy.World Announcements

29079 readers
190 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world/

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to info@lemmy.world e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.

As I am told, this was the issue:

  • There is an vulnerability which was exploited
  • Several people had their JWT cookies leaked, including at least one admin
  • Attackers started changing site settings and posting fake announcements etc

Our mitigations:

  • We removed the vulnerability
  • Deleted all comments and private messages that contained the exploit
  • Rotated JWT secret which invalidated all existing cookies

The vulnerability will be fixed by the Lemmy devs.

Details of the vulnerability are here

Many thanks for all that helped, and sorry for any inconvenience caused!

Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been 'stolen' and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).

For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.

(page 3) 50 comments
sorted by: hot top controversial new old
[โ€“] pascal@lemm.ee 15 points 1 year ago (1 children)

That doesn't surprise me. Especially the "homemade" instances. The documentation is severely lacking and I had to fix lots of stuff in the instructions with try&despair to make my instance run.

There's not a great focus in security if your application starts with "step 1: install docker"

load more comments (1 replies)
[โ€“] cantevencode@lemmy.world 14 points 1 year ago (5 children)

Does an admin account have any permissions to view email addresses or data of registered users?

Did MichelleG not have 2FA enabled?

Now that this has happened, it's be worth pushing this issue through as high priority. If HttpOnly was enabled, then an admin takeover would not have been possible.

https://github.com/LemmyNet/lemmy-ui/issues/1252

load more comments (5 replies)
[โ€“] AlmightySnoo@lemmy.world 13 points 1 year ago (1 children)

One thing I don't get. Custom emojis can only be created by an admin, but you're saying an admin's account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?

[โ€“] Calyhre@lemmy.world 11 points 1 year ago* (last edited 1 year ago)

From the fix, I believe the custom emojis were not double checked after a user submits a post. The post data was used to display the emojis, and thus allowing injection.

The fix now is to search the emojis in the custom emojis list from the backend rather than the user post.

[โ€“] mintiefresh@lemmy.ca 12 points 1 year ago

Thanks for the great work. The response time was awesome, considering you were asleep as well.

Great lemmies! Thanks for uniting us.

[โ€“] slowcurrent@sh.itjust.works 12 points 1 year ago (1 children)

How do we know you're the real you? This all could be part of the plan!

[โ€“] ruud@lemmy.world 13 points 1 year ago

I'm not even sure myself..

[โ€“] TrickyCamel@lemmy.world 12 points 1 year ago

Thanks for the transparency.

[โ€“] fikran@thebag.social 12 points 1 year ago (2 children)

Ugh, people should not go after systems trying to give a free service to the internet. It just ruins everything.

load more comments (2 replies)
[โ€“] ColleenLawson@lemmy.world 11 points 1 year ago (1 children)

Yah, I noticed my Lemmies auto-corrupted to Lemurs.

I don't care. I'm keeping it.

Lemurs are cute.

load more comments (1 replies)
[โ€“] Tuesdays@lemmy.world 11 points 1 year ago (4 children)

I had to create a new account. I tried enabling 2FA on my main account a week ago, but was never able to generate a token. Now when I try logging in it is asking for my 2FA token. Is there any way to get my account back. I'm a moderator of a community.

load more comments (4 replies)
[โ€“] eluri@lemmy.world 11 points 1 year ago (6 children)

Soo it looks like the entry for this instance was also changed on https://lemmyverse.net/ . At least I hope it is the hack

load more comments (6 replies)
[โ€“] cheeseblintzes@lemmy.world 11 points 1 year ago (1 children)

Once again, thank you guys for all that you do. As many other people are saying, appreciate the transparency about these things.

load more comments (1 replies)
[โ€“] feedum_sneedson@lemmy.world 10 points 1 year ago (11 children)

I can only log in on incognito mode, which makes me think my cookie has been stolen or whatever. So my question is, what should I be doing about that?

load more comments (11 replies)
[โ€“] LeHappStick@lemmy.world 10 points 1 year ago (11 children)

Pardon the ignorance, but how do I know if I was compromised? what do?

load more comments (11 replies)
[โ€“] ulu_mulu@lemmy.world 10 points 1 year ago

Amazing how you quickly reacted to this!! Bravo!!

TIP: if you can't login after what happened, clear out your browser cache including ALL cookies, that fixes it (it did for me at least). I believe it's also advisable to change lemmy password.

[โ€“] iMike@lemmy.world 9 points 1 year ago

Must have been jealous spez

load more comments
view more: โ€น prev next โ€บ