TIL Lemmy.world got hacked - Details

Lemmy was/is vulnerable for XSS attacks.

Hackers try to inject JavaScript code that tries to steal your (ideally admin) cookie credentials. It seems that the admin account of lemmy.world was compromised this way (MichelleG). Other instances aren't safe either. Which could point to the custom emojis feature in the federate comments, meaning a lot of external instances could be effected by now.

Incorrect escaping of user input data could lead to these issues. Kbin just recently discovered a similar regression issue and which has been solved by now. But it seems that Lemmy was or still is vulnerable to this attack factor.

Mitigation action Lemmy users: You might want to disable JavaScript in the meanwhile.

Mitigation action for Lemmy server owner: Disable custom emoji:

DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;

Clean-up the exploit content:

UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

Rotate your JWT secret (invalidates all current login sessions):

UPDATE secret SET jwt_secret = gen_random_uuid();

Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.

dragontamer, 
<pre style="background-color:#ffffff;">
<span style="color:#323232;"> UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
</span><span style="color:#323232;"> UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';
</span>

Note: this looks for all posts saying ![" onload and replaces them with <REMOVED BY ADMIN>. Adminitrators will want to run a “SELECT comment WHERE content LIKE '%![” onload%';" to preview all posts before removing them.

But due to the nature of the federation, the evil post will be stored across the fediverse. If the Evil-post was stored on kbin.social, does that mean that the evil Javascript still gets run? Questions for later…

Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.

FYI: the “evil post” that contained this exploit was shipping off the JWT + Account information to some evil server. The hacker fully knows who is compromised / vulnerable.

When you have a full Javascript escape like this, it allows web browsers to send information, including keyboard and mouse movements, within the compromised post. Fortunately, it looks like our “login page” is a separate page so I don’t think any passwords were stolen. And this is all Javascript so its just front-end control (ie: pretend someone suddenly grabbed your computer while you were away. It doesn’t mean they have your password, it just means that they can make posts / change your settings / etc. etc. That’s roughly the level of this hack).

melroy,
@melroy@kbin.melroy.org avatar

@dragontamer correct. Maybe they don't have your credentials but only your session. Allowing to execute tasks that are available for admins within the admin panel or any other moderation tool on the site.

Kbin doesn't use custom emojis as far as I know. But it could potentially spread to any software that doesn't escape the content that is getting displayed. Whether the software is kbin, lemmy, pixelfed or mastodon. Or whether the content is a post, thread, comment or user name/ description to just name some options.

melroy,
@melroy@kbin.melroy.org avatar

@dragontamer seems like kbin is using markdown formatter/parser library on all the user input, and escape the data. So kbin shouldn't be effected.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • Ask_kbincafe
  • oklahoma
  • feritale
  • SuperSentai
  • KamenRider
  • All magazines
    •