PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down)

Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they're mainly just trying to make stuff offensive and redirect people to lemonparty.

So, y'know, old school.

I don't know if any data is actually in danger, but I doubt it. I don't see why assistant admins would need access to it.

Main instance hacked? Time to use an alt!

The first hack is a rite of passage for every site that gets big. It means we've been recognized!

Luckily, this seems to be a standard troll (with some tech knowledge) - they've defaced the site and put redirects to shock sites, rather than injecting actual malware or quietly collecting everyone's passwords. This could be much worse.

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?

God damn, spez-funded hacker groups already is trying to disrupt the resistance.

Hmmm. Don’t know what the fall out of this will be. But a lot of lemmy is on that server. Unfortunately. Maybe we’ll learn a lesson in the value of decentralisation.

Ruud also runs mastodon.world, FYI.

lemmy.world was briefly back to normal and there had been a post saying that everything was fine now - it's not.

The site has just started doing the same thing again.

Please do not try using lemmy.world for the time being.

Being a part of Lemmy in these early days has been kind of interesting, seeing all of the bugs and bits that will be ironed out over time. One day when Lemmy is as old as Reddit it will all be folklore. Maybe.

GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.

If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

lemmy.blahaj.zone got hacked too, looks like the same people

https://lemmywinks.xyz/post/320087

4AM in the Netherlands where the instance owner Ruud lives... hopefully his assistant admins can clean it up, but it might be a bit before he even knows anything is wrong.

They're stealing jwt tokens and noting when they're admin tokens.

https://lemmy.sdf.org/post/696053 https://lemmy.sdf.org/comment/850269

Permanently Deleted

Don't know if this will be relevant at all, but I'm almost hoping this will force Lemmy devs to abandon the obscure markdown crate they use for pulldown-cmark.

Using an obscure markdown implementation just because it supports spoiler tags always sounded like a silly decision to me!

Just went there and didn't immediately see anything out of the ordinary, but then was redirected to Chatroulette, lol yikes

The admins now appears to have taken down the backend in an effort to stop the defacing.

For those not aware, the beehaw server did intentionally shut their instance down to avoid any issues.

See announcement here: https://hachyderm.io/@beehaw/110687918465426082

Damn first vlemmy.net (my original instance) dies, and now one of the largest is hacked…

Looks like this thread is getting mass downvoted by bots btw

The "Hot" sort topic:

Is @Ruud's mastodon.world instance still okay?

Wtf? What even is happening?

I'm seeing zero comments come out of Lemmy.world in the past 15 minutes, app users shouldn't have been redirected... and users commenting from other servers should be going to communities homed there. I wonder if they shut off federation. I normally see over 10 comments a minute: https://lemmyadmin.bulletintree.com/query/comments_ap_id_host_prev?output=table&timeperiod=15

I literally just made a community over there 20 mins ago fml

Compromised in what way? Can you post proof?

It was cleaned up on the home page, but now back to being defaced as of this comment time.

Another user on the site confirmed this:

It appears that the deface attack is back in full swing (racial slurs and all the redirects)

Well shit, just set up shop here. Had made a back up account on vlemmy the other day and that's down too. What's going on?

Time to make an alt! Been thinking about switching instances anyway, so this is a nice test. Hope the situation gets resolved soon.

Yikes, hope they can find and disclose whatever they used to compromise an admin account.

F

Technical details, is it the sidebar: https://lemmy.ml/post/1896249

Just clicked into Lenny.world and saw “site has been seized by Reddit for copyright infringement “

Ah, crap...

Looked like the admin u/MichelleG over there got hacked. That account posted a couple stickied posts and then all the css and links started changing on the site.

I really hope they have backups in place.

Lemmy.world front page is back up, but I am now logged-out

It’s fine now.

Oof. Oh well, at least they’re getting recognized I guess.

I decided to check it and it tells me that 'The site has been seized by Reddit for copyright infringement'.

Seems fine now

Permanently Deleted