cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • Alex(艾利)👽
    link
    fedilink
    English
    471 year ago

    Swear this is the same guy that did the trending community spam a few days ago, he was angry about being banned for squatting on known subreddit names here on Lemmy, even the compromised admin account said something about it in her comments before this happened 🤦‍♂️

    • @[email protected]
      link
      fedilink
      English
      121 year ago

      Time to move from banning to contacting authorities then… spam is one thing. This is criminal.

    • Nepenthe
      link
      fedilink
      111 year ago

      Wait, was that the one that had a community list well into the twenties? Or was that someone else? I don’t think all that stuff reached me, but I did hear about a wannabe powermod like a week and a half ago. Much good that does anyone in a defederated system.

      • Alex(艾利)👽
        link
        fedilink
        English
        12
        edit-2
        1 year ago

        His username at the time was “LMAO” and I think so… he did it again on another Lemmy instance but used a different username that time as well 😂

  • TheSaneWriter
    link
    fedilink
    English
    351 year ago

    Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don’t click links (including images) before checking where they are going to send you.

    • db2
      link
      fedilink
      English
      171 year ago

      This used an onLoad which isn’t generally shown when you hover over a link in a browser. Most people, even devs, aren’t going to jump on the console to check every link.

      NoScript would probably have helped though.

      • 𝙚𝙧𝙧𝙚
        link
        fedilink
        English
        301 year ago

        What kind of terrible markdown editor allows adding onload scripts to images though… it’s insane.

      • deweydecibel
        link
        fedilink
        English
        161 year ago

        Also doesn’t help when using mobile and there’s no hover over

        • @[email protected]
          link
          fedilink
          English
          41 year ago

          You can usually click and hold on mobile and an popup will appear showing the link (I think) - or you can click and hold and copy the link and paste it somewhere to see where it’s going to go.

  • Aer
    link
    fedilink
    English
    34
    edit-2
    1 year ago

    Some information I have posted to Lemmy.World:

    I am not a super code-literate person so bare with me on this… But. Still please becareful. There appears to be a vulnerability.

    Users are posting images like the following:

    https://imgur.com/a/RS4iAeI

    And inside hidden is JavaScript code that when executed can take cookie information and send it to a URL address.

    Among other things. At this time if you see an image please click the icon circled before clicking the link. DO NOT CLICK THE IMAGE. If you see anything suspicious, please report it immediately. It is better a false report than a missed one.

    I have seen multiple posts by these people during the attack. It is most certainly related to JS.

    • 𝙚𝙧𝙧𝙚
      link
      fedilink
      English
      19
      edit-2
      1 year ago

      If it’s onload then simply viewing the image runs that script. Yikes.

      • Aer
        link
        fedilink
        English
        141 year ago

        That’s even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP… Also if that code actually works, I am going to have to secure my account.

        • 𝙚𝙧𝙧𝙚
          link
          fedilink
          English
          15
          edit-2
          1 year ago

          I’d wager you’re likely fine if you’re using a mobile app when the affected image loads. Also, it appears they’re stealing auth tokens… not passwords or anything. At worst they could impersonate you until your token expires… but you’re not a high value target unless you’re an admin of an instance.

          • Aer
            link
            fedilink
            English
            121 year ago

            I used Firefox… So I definitely reset my password. Thing is I do not see an option for Lemmy where you can “sign out everywhere” which is the counter to Auth token stealing.

            So I had to change it so that the Auth token would expire. Whilst I am not an admin I won’t take the chance. It could compromise other users and I do not want to take that risk.

          • @[email protected]
            link
            fedilink
            English
            5
            edit-2
            1 year ago

            the thing is right now lemmy by defaultNEVER expires the tokens… oops. Right now servers are manually expiring all their user’s tokens by changing the secret in the database because of this attack.

    • @[email protected]
      link
      fedilink
      English
      31 year ago

      lmao I’m so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!

      • Aer
        link
        fedilink
        English
        91 year ago

        Clicking the image isn’t the issue, scrolling by it will nab your Auth tokens. Resetting your password will reset the Auth tokens protecting your account. A sign out everywhere button would fix it but that isn’t an option yet. It really needs to be.

    • @[email protected]
      link
      fedilink
      English
      -91 year ago

      Wtf how is this even possible? Are the Lemmy devs smoking crack? If you’re going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.

      • r00ty
        link
        fedilink
        211 year ago

        Please feel free to perform a full security audit.

        • @[email protected]
          link
          fedilink
          English
          61 year ago

          Not really helpful though is it? It’s like going to a friend’s house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say “feel free get a hammer out”.

          • @[email protected]
            link
            fedilink
            English
            31 year ago

            It’s more like when everyone is looking at the previously unknown hole and discussing how to patch it up and you start yelling how it is unacceptable as your friend’s house is a “bar alternative”

            • @[email protected]
              link
              fedilink
              English
              11 year ago

              Honestly I think you’re all right. This is such a basic vulnerability it should never existed… AND I told you so’s and bitching don’t help.

      • jherazob
        link
        fedilink
        5
        edit-2
        1 year ago

        Little Bobby Tables strikes again

        Now seriously, people forget that Lemmy is alpha software, and Kbin is even younger

      • HobbitFoot
        link
        fedilink
        English
        21 year ago

        People have said the platform is years old, but it didn’t really get tested until June. I wouldn’t be surprised if more issues like this are found.

      • PupBiru
        link
        fedilink
        11 year ago

        the threadiverse wasn’t exactly popular until the reddit exodus

        id probably flip it: are lemmy users smoking crack? if you’re going to run to a reddit alternative, it’d be wise not to choose alpha software!

  • db2
    link
    fedilink
    English
    281 year ago

    Script kiddies. insert eyeroll emoji here

  • @[email protected]
    link
    fedilink
    English
    151 year ago

    Hey everyone, this exploit was present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.

  • NotAFuckingBot
    link
    fedilink
    English
    12
    edit-2
    1 year ago

    When I wanted to do some lemmying earlier, the LemmyWorld logo said ‘Israel’, and when I put my cursor over it, it said 'N***a Style. Then when I clicked the logo (stupid me, no doubt), it redirected me to a pic of some dude with a cigar, with the caption (iirc) “I r * pe kids in the woods”. I did a virus scan which came up clear. Dunno what else to do when shit like that happens, as I am not the brightest bulb in the chandelier.

    • tal
      link
      fedilink
      6
      edit-2
      1 year ago

      I have not seen any notice as to how either users or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that…

      From an end-user standpoint, I would guess – I have not looked at the code and have not been working on the security hole – the following:

      • This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.

      • Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.

      • I don’t know what the full impact is for a regular user account, but it’s probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for registration with a username. If you used a throw-away email account that is publicly-accessible – as I did – that could allow for full account compromise.

      • Viewing content while not logged in is probably safe – maybe they can make Javascript run from a link, but without you being logged in, there isn’t anything interesting that the attacker can do. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue is resolved and lemmy servers update.

      • I don’t know if kbin is vulnerable. It didn’t accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it’s possible that it trusts URLs coming from federated servers, which I did not check.

  • @[email protected]
    link
    fedilink
    English
    9
    edit-2
    1 year ago

    Did this result in Lemmy.world being defederated from Lemdro.id?

    Lemmy.world is back up and the hack is over, but when I view [email protected] using my lemmy.world account I can’t see anything.

    EDIT: In case anyone else is having this problem, the issue was my language settings. Despite having “Undetermined” set as a language, that was the problem - I clicked the little “X” to unselect all languages and then saved, and now it’s working again.

  • TheSaneWriter
    link
    fedilink
    English
    91 year ago

    Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don’t click links (including images) before checking where they are going to send you.

    • Dioxy
      link
      fedilink
      English
      71 year ago

      It’s worse than that. Until Lemmy is more mature, I would reccomend using the lite version of Lemmy, the JS-free version, for sake of client side security. Alternatively, or as an added point of security, the front-ends themselves should implement more sanitazion themselves. I’m willing to spend some free time vulnerability testing, but I would need a dedicated sand-box for that.

      • r00ty
        link
        fedilink
        41 year ago

        The ansible method of setting up a lemmy instance generally “just works”. I set one up for federation tests with kbin recently.

  • ElectronSoup
    link
    fedilink
    51 year ago

    beehaw isn’t down, just very slow, which is it’s normal state of being if we’re being honest

  • sgtlighttree
    link
    fedilink
    21 year ago

    I don’t see any weird content, but I couldn’t log in. There’s a notification at the bottom that says “logged in” but I’m still blinded by light mode.

    • @[email protected]
      link
      fedilink
      English
      21 year ago

      If they changed their server token, which they would have done to reduce the chances of the hackers reusing the same account tokens, you need to refresh your browser cache/cookies.

      On desktop, you can do this by hitting CTRL-SHIFT-R, and on mobile, you probably just have to sign out and sign back in again.

  • Banana
    link
    fedilink
    -6
    edit-2
    1 year ago

    In all seriousness, no one is talking about this, but this is the one disadvantage of open source software being developed by volunteers, we don’t know exactly how the admin accounts were hacked but the XSS stuff is really basic stuff, none of those fields were sanatised at all, and it makes me concerned what else has been missed, obviously the advantage of open source is in time this stuff can get fixed, but this is what happens when loads of people who aren’t experts contribute to a site.

    In comparison to sites where there is a fully hired developer team the quality of the code is significantly better. I really hope the passwords were hashed on these instances and the hackers didn’t get plain text passwords or anything really bad like this.

    One thing and credit to Ernest, as I’ve contributed there he does very thorough code reviews and his quality of code is very good, its why im confident kbin won’t be hacked.

    • @[email protected]
      link
      fedilink
      191 year ago

      I think you’ve never worked in software, or even used software, if you think paid close source apps don’t have issues like this. They can be worse because they’re written by interns and no one there actually cares, they just want their paycheck

      • Avid Amoeba
        link
        fedilink
        2
        edit-2
        1 year ago

        I concur that the security behind closed doors I’ve seen is often non-existent. The incentives are typically stacked against security.

      • Banana
        link
        fedilink
        11 year ago

        I work at the biggest software company in the world.
        Sure there is projects with security flaws, but at the company I work, there is zero tolerance to big security flaws in the code, we have many automated checks, as-well as manual checks.

    • PupBiru
      link
      fedilink
      61 year ago

      yes and no: there are a couple of schools of thought!

      of course, code by a lot of people without proper review is… risky

      however, at least it’s able to be reviewed! and in time and with enough eyeballs, hopefully that code will become far more robust. that’s the benefit of transparency: anyone can review any line at any time!

      remember: closed-source code as plenty of vulnerabilities too! just if we can’t review it, it’s much harder to work out what they might be… often, closed source vulnerabilities can exist for years without the vendor ever patching them because nobody is calling them out on it… hell, they can even know that their software is actively being exploited and just… not tell anyone

    • @jcgA
      link
      41 year ago

      The two main Devs of Lemmy do this full time. They’re not hired in a traditional sense, but the project is funded enough for them both to work on it as their full time job. Now, this isn’t a problem with open source, I’m a professional software Dev and you would not BELIEVE how many enterprise, proprietary systems are still doing things like building SQL statements by directly concatening strings that come from user input (especially in enterprise software cause, well, who’s gonna fuck around with it?). No, this is a problem of having this many eyeballs on you. The tiny little places they slipped up and didn’t properly sanitize a user input string was found and exploited. Most proprietary systems do NOT reach this level of user count, and in particular Lemmy attracts a certain more tech-savvy demographic that would’ve found this sooner or later, malicious or not. Remember, this vulnerability was not just found, somebody was looking for it.

  • mutant
    link
    fedilink
    -411 year ago

    I think it’s hilarious that Reddit protesters were redirected to NSFW content, karma is coming around lmfao

    • XiELEd
      link
      fedilink
      21
      edit-2
      1 year ago

      What karma? Spez started it by being a liar 🤷‍♂️ so I say it is natural that people stop supporting him.

      • @[email protected]
        link
        fedilink
        121 year ago

        Dude’s got 44 comments and every single one is a complaint about the reddit protest or protestors. Might just be spez himself lol

    • Dio
      link
      fedilink
      81 year ago

      I can sense tears and hurt through your, “lmfao”