this post was submitted on 10 Jul 2023
3282 points (99.3% liked)
Lemmy.World Announcements
29077 readers
8 users here now
This Community is intended for posts about the Lemmy.world server by the admins.
Follow us for server news ๐
Outages ๐ฅ
https://status.lemmy.world
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Support e-mail
Any support requests are best sent to info@lemmy.world e-mail.
Report contact
- DM https://lemmy.world/u/lwreport
- Email report@lemmy.world (PGP Supported)
Donations ๐
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
Join the team
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Do we have any details on how Michelle's account was compromised? Right now in the GitHub issue about the vulnerability they're clueless about how the custom emoji exploit could be performed without first an already compromised admin account.
EDIT: yeah here's how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
You do NOT need an admin account to do that. Any normal user could have done that.
How? I kept trying it yesterday without any luck, even with manual POST requests. The markdown (at least in the comments) seems to be properly escaped.
So, simply viewing a comment thread with a maliciously-altered emoji (on an unpatched instance) was enough to compromise your account?
Pretty much. The hacker sent me a DM with the emoji which contained the malicious code. All I did was open and read it. Iโm proud of the team that worked until 2 AM to not only revert the changes, but fix the exploit.
Damn. This is why Adkins should have separate admin tools that aren't part of there main Lemmy usage
yes: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
I just figured out how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
Yeah, an admin account is absolutely not necessary.
AlmightySnoo is posting in Github a lot. I'm assuming that the user above has been trying it on the older, unpacked, docker instance.
@AlmightySnoo Correct me if I'm wrong of course.