Edit: RC version of lemmy-ui has been released to fix this issue for emojis, which has been applied to lemmy.zip.
Hello all,
Around 5 hours ago Lemmy.world and lemmy.blahaj.zone experienced a “hack” targeting admin accounts, which then altered the sites and spread spam etc.
Thankfully the attack vector was figured out quite quickly and mitigations were put in place. Sami was very quick to act and defederated us from those instances to prevent their exploit spilling over into our site.
The attack vector is custom emojis, which allowed attackers to exploit weaknesses via cross site scripting. More info is available here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895
This attack gives attackers access to your “session”. They won’t know your password as they did not have access to the database or the server. Attackers would have had access to your user settings page, so they could potentially see your email address.
Lemmy.zip had a custom emoji in place from testing a few weeks ago, so as an extra precaution we’ve reset the secrets table in the database which should have logged everyone out (sorry!). This would prevent attackers still having access to any accounts on our site.
Its important to add that at this stage I don’t believe any of our users have been compromised, due to Sami’s quick action to defederate and remove the custom emoji once this was known as the attack vector. No accounts on this instance were involved in the posting of spam and none of our admin accounts were compromised either.
If we find out any more information we’ll add it here. We’ll continue to implement all security fixes as they become available.
I keep getting logged out from (android) apps, is this also until more security fixes become available?
Great job on being incredibly fast in your actions to protect us and updating us so quickly with clear answers, thank you!
There were two events that may have caused log-outs, one when the secrets entry (that secures sessions) was changed, and one when the server was restarted which pushed that change to everyone logged in to the website ui. I’m not sure how android apps handle that (i assume each one is probably different) and I have seen a comment to say Jerboa caches things so may need logging out and back in manually to reset it.
Once you’ve logged back in you should stay logged in like previously though.
I can’t take any credit for anything, I was fast asleep while this all happened. All praise should be directed towards Sami 🙂
Thanks, I will just wait patiently and try logging out / in, maybe clear the app cache and what not.
I don’t know how to tag people but thank you Sami, you’re a real one! 🫶