481
PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml
244 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[-] Max_P@lemmy.max-p.me 80 points 1 year ago

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

[-] CMahaff@lemmy.ml 41 points 1 year ago

I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

[-] maegul@lemmy.ml 31 points 1 year ago

Yep, same. It was also the most likely scenario.

It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

[-] CMahaff@lemmy.ml 17 points 1 year ago

Yeah, I've been scared to turn on 2FA with all the reports of people being locked out:

[-] darrsil@beehaw.org 15 points 1 year ago

Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can't confirm that one).

Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn't work, go back to the other settings window and disable it.

[-] bert@lemmy.monster 6 points 1 year ago

I am using 2fas with no issue and set it up using the method you described. So far, so good...in case anyone needed a vote of confidence!

load more comments (11 replies)
load more comments (11 replies)
load more comments (21 replies)
this post was submitted on 10 Jul 2023
481 points (99.2% liked)

Fediverse

17508 readers
103 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 4 years ago
MODERATORS
deadsuperhero@lemmy.ml
wakest@lemmy.ml