Edit: RC version of lemmy-ui has been released to fix this issue for emojis, which has been applied to lemmy.zip.
Hello all,
Around 5 hours ago Lemmy.world and lemmy.blahaj.zone experienced a “hack” targeting admin accounts, which then altered the sites and spread spam etc.
Thankfully the attack vector was figured out quite quickly and mitigations were put in place. Sami was very quick to act and defederated us from those instances to prevent their exploit spilling over into our site.
The attack vector is custom emojis, which allowed attackers to exploit weaknesses via cross site scripting. More info is available here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895
This attack gives attackers access to your “session”. They won’t know your password as they did not have access to the database or the server. Attackers would have had access to your user settings page, so they could potentially see your email address.
Lemmy.zip had a custom emoji in place from testing a few weeks ago, so as an extra precaution we’ve reset the secrets table in the database which should have logged everyone out (sorry!). This would prevent attackers still having access to any accounts on our site.
Its important to add that at this stage I don’t believe any of our users have been compromised, due to Sami’s quick action to defederate and remove the custom emoji once this was known as the attack vector. No accounts on this instance were involved in the posting of spam and none of our admin accounts were compromised either.
If we find out any more information we’ll add it here. We’ll continue to implement all security fixes as they become available.
First of all, I too would like to say thanks to Sami for acting quickly.
Second, your post didn’t mention if we’re still defederated from the affected sites. Considering that they’re pretty populated instances, I would hope they’ve already set up their own mitigations for the exploit, but for all I know, they’re still cleaning up. Have we reconnected with them? Or are we waiting to play it safe?
We are not defederated from them anymore. Once the attack vector was discovered and both instances posted to say they were aware and had mitigated the attack, it became clear it was no longer a thread to our instance/users.
Since then a new release candidate version of the lemmy-ui container that specifically fixes this issue has been released and applied here, and lemmy.world has also upgraded to this patched version. The other instance used a custom version anyway and appears down to me so assume they’re manually patching their instance.
More specifically, the attack only affected users where this code was posted on their own instance and not, for example, users from this instance seeing the code on another instance, because emojis are served differently in the back end depending if you’re viewing content on your own server or a federated server. So technically we’re safe even against unpatched servers, except for seeing lots of spammy posts if it does happen again.