Edit: RC version of lemmy-ui has been released to fix this issue for emojis, which has been applied to lemmy.zip.

Hello all,

Around 5 hours ago Lemmy.world and lemmy.blahaj.zone experienced a “hack” targeting admin accounts, which then altered the sites and spread spam etc.

Thankfully the attack vector was figured out quite quickly and mitigations were put in place. Sami was very quick to act and defederated us from those instances to prevent their exploit spilling over into our site.

The attack vector is custom emojis, which allowed attackers to exploit weaknesses via cross site scripting. More info is available here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895

This attack gives attackers access to your “session”. They won’t know your password as they did not have access to the database or the server. Attackers would have had access to your user settings page, so they could potentially see your email address.

Lemmy.zip had a custom emoji in place from testing a few weeks ago, so as an extra precaution we’ve reset the secrets table in the database which should have logged everyone out (sorry!). This would prevent attackers still having access to any accounts on our site.

Its important to add that at this stage I don’t believe any of our users have been compromised, due to Sami’s quick action to defederate and remove the custom emoji once this was known as the attack vector. No accounts on this instance were involved in the posting of spam and none of our admin accounts were compromised either.

If we find out any more information we’ll add it here. We’ll continue to implement all security fixes as they become available.

  • hultage
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Thanks for your hard work. Appreciate how communicative and active the admins here are.

  • Firestorm Druid
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Now that explains why I haven’t been able to comment or upvote anything. Thanks for the info!

  • ptmb
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Thank you for the hard work! It has been great to see the dedication, transparency and communication that you’ve been pouring into this instance, it really is appreciated!

  • AdmiralRob
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    First of all, I too would like to say thanks to Sami for acting quickly.

    Second, your post didn’t mention if we’re still defederated from the affected sites. Considering that they’re pretty populated instances, I would hope they’ve already set up their own mitigations for the exploit, but for all I know, they’re still cleaning up. Have we reconnected with them? Or are we waiting to play it safe?

    • Demigodrick
      shield
      OPMA
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      We are not defederated from them anymore. Once the attack vector was discovered and both instances posted to say they were aware and had mitigated the attack, it became clear it was no longer a thread to our instance/users.

      Since then a new release candidate version of the lemmy-ui container that specifically fixes this issue has been released and applied here, and lemmy.world has also upgraded to this patched version. The other instance used a custom version anyway and appears down to me so assume they’re manually patching their instance.

      More specifically, the attack only affected users where this code was posted on their own instance and not, for example, users from this instance seeing the code on another instance, because emojis are served differently in the back end depending if you’re viewing content on your own server or a federated server. So technically we’re safe even against unpatched servers, except for seeing lots of spammy posts if it does happen again.

  • win95
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I keep getting logged out from (android) apps, is this also until more security fixes become available?

    Great job on being incredibly fast in your actions to protect us and updating us so quickly with clear answers, thank you!

    • DemigodrickOPMA
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      There were two events that may have caused log-outs, one when the secrets entry (that secures sessions) was changed, and one when the server was restarted which pushed that change to everyone logged in to the website ui. I’m not sure how android apps handle that (i assume each one is probably different) and I have seen a comment to say Jerboa caches things so may need logging out and back in manually to reset it.

      Once you’ve logged back in you should stay logged in like previously though.

      I can’t take any credit for anything, I was fast asleep while this all happened. All praise should be directed towards Sami 🙂

      • win95
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Thanks, I will just wait patiently and try logging out / in, maybe clear the app cache and what not.

        I don’t know how to tag people but thank you Sami, you’re a real one! 🫶