this post was submitted on 10 Jul 2023
392 points (99.2% liked)

Fediverse

17779 readers
75 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

top 50 comments
sorted by: hot top controversial new old
[–] Candelestine@lemmy.ca 70 points 1 year ago (3 children)

Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they're mainly just trying to make stuff offensive and redirect people to lemonparty.

So, y'know, old school.

I don't know if any data is actually in danger, but I doubt it. I don't see why assistant admins would need access to it.

[–] hawkwind@lemmy.management 41 points 1 year ago (3 children)

All the bean memes are in danger! On a serious note, old-skool or not, it's a huge loss of trust in something the community-at-large is excited to see replace reddit.

[–] Candelestine@lemmy.ca 60 points 1 year ago (2 children)

Par for the course. This system will never be immune to things like that. That's part of what happens when you decentralize your power. Instead of a single target that can be made highly secure, you have a distributed array of targets.

People should certainly be engaging on here with full awareness of the reality of the Fediverse, not expecting reddit 2.0. We never will be able to offer exactly what they did. We'll be naturally worse in some areas and naturally better in others.

[–] Philolurker@lemm.ee 20 points 1 year ago (1 children)

This is why I'm glad I made redundant accounts on multiple instances. When there are problems on lemmy.world, I can just hop on over to another. That's never been an option with Reddit.

Now if there was only a way to export or sync user settings like subscriptions, it would be perfect.

[–] CMahaff@lemmy.ml 11 points 1 year ago (2 children)

There's actually another thread on exactly this topic: https://lemmy.ml/post/1875767

load more comments (2 replies)
[–] hawkwind@lemmy.management 13 points 1 year ago

That's fair. I shouldn't have said "replace reddit."

[–] henfredemars@infosec.pub 17 points 1 year ago (1 children)

On the other hand, look at where we are. This is proof that one hack can't take down Lemmy.

[–] hawkwind@lemmy.management 9 points 1 year ago (1 children)

True that. If you look at posts on lemmy.world though, it's clear their users (which is like 50% of Lemmy) have zero clue they're defederated ATM, and probably many that don't know it's compromised.

load more comments (1 replies)
load more comments (1 replies)
[–] CMahaff@lemmy.ml 20 points 1 year ago* (last edited 1 year ago) (3 children)

My concern is that configuring the site to automatically redirect users sounds like they have pretty large control over the site - the kind of control that I would assume is usually limited to users with root access on the server.

Obviously hope nothing of value is lost and that there is a proper off-site backup of the content.

Edit: See Max-P's comment, it looks like the site redirection was accomplished in a way that IMO suggests they do NOT have full control over the site. We'll obviously have to wait for the full debrief from the admins.

load more comments (3 replies)
load more comments (1 replies)
[–] TheGreatFox@lemmy.dbzer0.com 69 points 1 year ago

Main instance hacked? Time to use an alt!

The first hack is a rite of passage for every site that gets big. It means we've been recognized!

Luckily, this seems to be a standard troll (with some tech knowledge) - they've defaced the site and put redirects to shock sites, rather than injecting actual malware or quietly collecting everyone's passwords. This could be much worse.

[–] Max_P@lemmy.max-p.me 67 points 1 year ago (8 children)

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

[–] CMahaff@lemmy.ml 30 points 1 year ago (2 children)

I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

load more comments (2 replies)
[–] andrew@lemmy.stuart.fun 13 points 1 year ago

It does look like most instances will be vulnerable judging by the fix. It's not custom code; it's in lemmy-ui proper.

https://github.com/LemmyNet/lemmy-ui/pull/1897/files

[–] redcalcium@c.calciumlabs.com 9 points 1 year ago (1 children)

It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?

[–] Max_P@lemmy.max-p.me 15 points 1 year ago (2 children)

Pretty much, and it's not even XSS (it's not cross-site), it's just plain basic HTML injection breaking out of Markdown. At least as far as I was able to find.

load more comments (2 replies)
load more comments (5 replies)
[–] bigben111@lemmy.ml 54 points 1 year ago (2 children)

How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?

[–] Stovetop@lemmy.ml 65 points 1 year ago (4 children)

One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

[–] hawkwind@lemmy.management 27 points 1 year ago (3 children)

I wouldn't assume reasons why or that it's fixed until that consensus has been more widely reached.

load more comments (3 replies)
[–] eerongal@ttrpg.network 13 points 1 year ago (14 children)

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it....

load more comments (14 replies)
load more comments (2 replies)
[–] Max_P@lemmy.max-p.me 20 points 1 year ago (1 children)

Not a whole lot - you might see some spam being federated from lemmy.world but I'd expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.

That's probably good stress test to figure out how to handle that.

load more comments (1 replies)
[–] 001100010010@lemmy.dbzer0.com 47 points 1 year ago

God damn, spez-funded hacker groups already is trying to disrupt the resistance.

[–] Max_P@lemmy.max-p.me 36 points 1 year ago (4 children)

GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.

If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

load more comments (4 replies)
[–] upt@lemmy.ml 36 points 1 year ago (1 children)

Being a part of Lemmy in these early days has been kind of interesting, seeing all of the bugs and bits that will be ironed out over time. One day when Lemmy is as old as Reddit it will all be folklore. Maybe.

[–] Candelestine@lemmy.ca 16 points 1 year ago

This'll definitely be remembered. It's good for us, we needed the wakeup call.

[–] bootyberrypancakes@lemmywinks.xyz 32 points 1 year ago* (last edited 1 year ago) (3 children)

lemmy.blahaj.zone got hacked too, looks like the same people

https://lemmywinks.xyz/post/320087

[–] james@lurk.fun 25 points 1 year ago

They also changed the allowed/blocked instances to allow threads.net and defederate lemmy.ml, just like they did on lemmy.world: https://lemmy.blahaj.zone/instances

[–] Candelestine@lemmy.ca 20 points 1 year ago (1 children)

Huh... so this probably is more sophisticated than a single acct breach then. Lovely.

[–] bootyberrypancakes@lemmywinks.xyz 16 points 1 year ago (1 children)

Yeah, I'd recommend any server admin that doesn't have 2FA turn it on ASAP until we know what their exploiting

[–] bdonvr@thelemmy.club 9 points 1 year ago

Looks like the accounts were compromised by stealing their cookie - something 2FA can't stop.

Still should have it on, though.

blahaj admins are aware and have the site down with a splash screen now

[–] RunAwayFrog@sh.itjust.works 20 points 1 year ago

Don't know if this will be relevant at all, but I'm almost hoping this will force Lemmy devs to abandon the obscure markdown crate they use for pulldown-cmark.

Using an obscure markdown implementation just because it supports spoiler tags always sounded like a silly decision to me!

[–] CMahaff@lemmy.ml 20 points 1 year ago

4AM in the Netherlands where the instance owner Ruud lives... hopefully his assistant admins can clean it up, but it might be a bit before he even knows anything is wrong.

[–] erre@lemmy.ml 18 points 1 year ago* (last edited 1 year ago)

They're stealing jwt tokens and noting when they're admin tokens.

https://lemmy.sdf.org/post/696053 https://lemmy.sdf.org/comment/850269

[–] Max_P@lemmy.max-p.me 16 points 1 year ago

The admins now appears to have taken down the backend in an effort to stop the defacing.

[–] TheVampireSaga@lemmy.world 15 points 1 year ago

Looks like this thread is getting mass downvoted by bots btw

[–] bamboo@lemmy.blahaj.zone 13 points 1 year ago (1 children)

Just went there and didn't immediately see anything out of the ordinary, but then was redirected to Chatroulette, lol yikes

[–] tarjeezy@lemmy.ca 10 points 1 year ago (1 children)

Really hoping it's "only" redirecting to offensive sites, and not to malware. I got redirected a few times, before I closed my browser.

[–] hawkwind@lemmy.management 9 points 1 year ago* (last edited 1 year ago) (1 children)

TBF modern browsers are remarkably secure from being a vector to pwn your computer these days.

EDIT: I don't endorse hanging out on a compromised lemmy.world. Focus on the implication for the bigger lemmyverse though. A hack coming through to you is unlikely.

[–] bamboo@lemmy.blahaj.zone 14 points 1 year ago (1 children)

I sure hope so

~ Sent via Internet Explorer 6 on Windows XP

load more comments (1 replies)
[–] maegul@lemmy.ml 13 points 1 year ago

For those not aware, the beehaw server did intentionally shut their instance down to avoid any issues.

See announcement here: https://hachyderm.io/@beehaw/110687918465426082

[–] dsemy@lemm.ee 12 points 1 year ago (2 children)

Damn first vlemmy.net (my original instance) dies, and now one of the largest is hacked…

load more comments (2 replies)
[–] Cube6392@beehaw.org 9 points 1 year ago

Is @Ruud's mastodon.world instance still okay?

[–] JohnSaveourSocks@lemmy.ml 8 points 1 year ago* (last edited 1 year ago) (1 children)

I literally just made a community over there 20 mins ago fml

load more comments (1 replies)
[–] Elden_Potato@reddthat.com 8 points 1 year ago (3 children)

Well shit, just set up shop here. Had made a back up account on vlemmy the other day and that's down too. What's going on?

load more comments (3 replies)
[–] xaon_rider92@monyet.cc 8 points 1 year ago

Time to make an alt! Been thinking about switching instances anyway, so this is a nice test. Hope the situation gets resolved soon.

load more comments
view more: next ›