Edit: RC version of lemmy-ui has been released to fix this issue for emojis, which has been applied to lemmy.zip.

Hello all,

Around 5 hours ago Lemmy.world and lemmy.blahaj.zone experienced a “hack” targeting admin accounts, which then altered the sites and spread spam etc.

Thankfully the attack vector was figured out quite quickly and mitigations were put in place. Sami was very quick to act and defederated us from those instances to prevent their exploit spilling over into our site.

The attack vector is custom emojis, which allowed attackers to exploit weaknesses via cross site scripting. More info is available here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895

This attack gives attackers access to your “session”. They won’t know your password as they did not have access to the database or the server. Attackers would have had access to your user settings page, so they could potentially see your email address.

Lemmy.zip had a custom emoji in place from testing a few weeks ago, so as an extra precaution we’ve reset the secrets table in the database which should have logged everyone out (sorry!). This would prevent attackers still having access to any accounts on our site.

Its important to add that at this stage I don’t believe any of our users have been compromised, due to Sami’s quick action to defederate and remove the custom emoji once this was known as the attack vector. No accounts on this instance were involved in the posting of spam and none of our admin accounts were compromised either.

If we find out any more information we’ll add it here. We’ll continue to implement all security fixes as they become available.