this post was submitted on 10 Jul 2023
477 points (99.2% liked)

Fediverse

17776 readers
41 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 77 points 1 year ago (5 children)

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

[–] CMahaff@lemmy.ml 40 points 1 year ago (1 children)

I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

[–] maegul@lemmy.ml 30 points 1 year ago (4 children)

Yep, same. It was also the most likely scenario.

It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

[–] RoundSparrow@lemmy.ml 17 points 1 year ago (1 children)

The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.

[–] CMahaff@lemmy.ml 11 points 1 year ago (2 children)

Oh man, that would be brutal if they are resetting the password and it isn't kicking the attacker out...

[–] Max_P@lemmy.max-p.me 12 points 1 year ago

That's probably what happened here because they did revoke the admin's access, but it continued.

[–] RoundSparrow@lemmy.ml 8 points 1 year ago (1 children)
[–] CMahaff@lemmy.ml 6 points 1 year ago (1 children)

The issue does say changing the password should kick the user out, but yeah, still not good.

[–] RoundSparrow@lemmy.ml 7 points 1 year ago (1 children)

This issue from 2 weeks ago was the one I was thinking of, it's worse: https://github.com/LemmyNet/lemmy/issues/3364

[–] CMahaff@lemmy.ml 4 points 1 year ago* (last edited 1 year ago) (1 children)

Oh man this one is SO much worse. If this is what is going on the only way to kick out the hacker will probably be to manually alter the DB. Yikes.

I hope the admin team is aware of this - not sure how one would even contact them.

[–] maegul@lemmy.ml 3 points 1 year ago

Well, provided top level admin access to the server is still protected, a manual DB change ought to be rather doable right?

As for contacting the admins ... the lead admin, ruud, is on mastodon and also admins one of the largest mastodon instances: mastodon.world. They are Dutch however, which means they're likely asleep right now.

All of which raises the broader point about what good admin practice is. This is something the fediverse needs to get better at. In this case, as a bare minimum, every admin should be reachable at a location outside of their own instance.

Ideally, IMO, there'd be an "admin backline protocol" of some sort, where it's super easy or even automatic that every admin of every instance can have an account on any instance they federate with for the purposes of communication etc.

[–] CMahaff@lemmy.ml 16 points 1 year ago (1 children)
[–] darrsil@beehaw.org 15 points 1 year ago (1 children)

Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can't confirm that one).

Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn't work, go back to the other settings window and disable it.

[–] bert@lemmy.monster 6 points 1 year ago

I am using 2fas with no issue and set it up using the method you described. So far, so good...in case anyone needed a vote of confidence!

[–] G59@lemmy.ml 10 points 1 year ago

The hacked MichelleG account actually commented that it did not have MFA enabled lol. This was on the lemmy.world shitpost community, on one of the posts making memes about the situation. Hilarious that the hacker decided to share that.

[–] Rentlar@lemmy.ca 3 points 1 year ago

OK good to know that the server itself is unlikely to be compromised. I'll be changing passwords to all my accounts once this blows over.

[–] andrew@lemmy.stuart.fun 16 points 1 year ago

It does look like most instances will be vulnerable judging by the fix. It's not custom code; it's in lemmy-ui proper.

https://github.com/LemmyNet/lemmy-ui/pull/1897/files

[–] redcalcium@c.calciumlabs.com 10 points 1 year ago (1 children)

It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?

[–] Max_P@lemmy.max-p.me 18 points 1 year ago (1 children)

Pretty much, and it's not even XSS (it's not cross-site), it's just plain basic HTML injection breaking out of Markdown. At least as far as I was able to find.

[–] redcalcium@c.calciumlabs.com 4 points 1 year ago (1 children)

XSS is a blanket term for vulnerabilities that allows attackers to inject client-side scripts. Looks like someone is already identified and submitted a pull request that contain a fix: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

[–] barsoap@lemm.ee 1 points 1 year ago

Aaaargh yeah using typescript doesn't do jack when your API is stringly-typed. This erm wouldn't have happened on the backend.

[–] tarjeezy@lemmy.ca 7 points 1 year ago (2 children)

Last I saw, they were on 0.18.1, unless a very recent update was installed. Do you happen to have a full list of domains they were redirecting to? Just want to be sure they were only going to "harmless" offensive sites, and not something worse.

[–] Max_P@lemmy.max-p.me 14 points 1 year ago

As for the version, my instance reports it as

0.18.1-2-ga6cc12afe

So it seems to be using some extra patches, but I can't find that commit on GitHub which indicates it might not be public, or cherry-picked locally.

So with this in mind, either it's just innocent performance patches, or someone potentially also introduced the markdown vulnerability.

Although it's also entirely possible I suck and wasn't able to reproduce it correctly/had wrong quoting or something. Hopefully the devs can shine some light in the details.

[–] Max_P@lemmy.max-p.me 13 points 1 year ago (1 children)

Only lemonparty (which then redirects to chaturbate) and the pedo image hosted in the pictrs of lemmy.world itself. I saw no evidence of anything else, as people said, it's a pretty oldschool type of hack to disturb not spread malware.

But I didn't dig that much further than that, and it's only a snapshot of what I gathered before it got fixed. I Ctrl+F "lemonparty" in view source and pasted the JSON in VScode and that's about it. Didn't dig much deeper if that was just a red herring.

[–] tarjeezy@lemmy.ca 10 points 1 year ago

Thanks for digging in and sharing your findings!

[–] Nyanix@lemmy.ca 7 points 1 year ago

Max-P doing the Lord's work