Lemmy.world Site Redirects and More Removed
We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
118
Comments93
don't turn into reddit admins now, please answer this lol
Give them some time to investigate maybe?
Here's what I think happened: https://lemmy.world/comment/1059957
Basically it's Javascript that was injected in the main sidebar. That means that Lemmy doesn't escape HTML in the main sidebar (what about community sidebars?) and that Lemmy devs need to prioritize a security audit of the whole code base right now, I did this kind of shit when I was a kid and it's just insane that Lemmy has this vulnerability, this was not some sophisticated hack.
What it also means is that it's very unlikely that any personal data was compromised.
It's looks like an admin account got compromised.
Yes that's what allowed them to modify the contents of the sidebar, but the more serious problem is that you can put HTML in the sidebar and it won't be escaped by the Lemmy backend. That's what allowed this JavaScript redirection.
Should also be pointed out the admin is evidently still compromised. The one that posted this thread.
I'm opening Pandora's box: what if all sidebars, not just the main one, have this vulnerability? An admin account being compromised will be the least of our worries if this is the case.
If you are right do you know what are the potential impacts of the vulnerability, what could a malicious individual do?
Hopefully not handling this many users without a comprehensive security audit!
Cookies were likely obtained too, so they could have logged into your account using those cookies and gotten your email address or posted something with your account, but I think it's more likely they prioritized admin accounts as they were also sending a flag indicating whether the account is an admin or not. Ruud's has invalidated those cookies a while ago so they're worthless now and the hacker can't use them to log in. See ruud's announcement.
https://github.com/LemmyNet/lemmy-ui/issues/1895
Hope you got that energy for the rest of Lemmy instances because they're all the same
Aviate, navigate, comunícate... Give them time to solve the issue.
What personal data did you give Lemmy? Lol. And if you're going to question lemmy.world then head over to every other instance and take your stance there too.
I don't use other instances, I use lemmy.world. Questioning why and how a major instance got hacked isn't an outlandish line of questioning; I need to know whether this will continue to be a safe, reliable, and secure instance to use otherwise I and presumably others will go elsewhere. This was relatively minor in the grand scheme of things, so hopefully it'll be enough to prompt a fix for whatever caused it (seems like it was possibly insecure code not correctly sanitising HTML).
You're absolutely spot on, it will be important to hear what happened and how and why. If an admin account was compromised, that's not a good reflection on the security and related practices of this instance.
No it hasn't. The main page still redirects to a picture of a guy with a cigar with the caption "Just raped a kid in the woods."
at least that one's mildly amusing
Wait til you see the grandpa threesome
Glad I missed out on that one
::: spoiler I did not. I'm now traumatized. :::
We have an aww community if that helps?
Please. It makes for good eye bleach.
Yeah, it's doing that for me, now, too. Looks like the hack is ongoing.
I came here to post this
Try clearing cache on your browser.
I did. It didn't help.
If they did a DNS record change then we wouldn't be able to access this part of the site, either. The whole thing would be redirected.
Same. It was previously just “Lemmy.World” but now I see this
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don't really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why.
It would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious.
As an aside, this is why it's no longer possible in 2023 to host a social site as a hobby. Of course GDPR is good, I'm glad it exists, but as an individual, it's not the kind of responsibility I want for my hobby.
I think the difference between a hobby site and a large social media/ conversation platform is a site for your personal use without a comment section etc likely isn't covered, whereas a site handling users personal data and transferring data between jurisdictions is.
I absolutely agree there is no way I would want to navigate GDPR and other regulations as an individual and therefore no way I would host a Lemmy instance! It's a big and complex undertaking, where basic compliance isn't too difficult but dealing with any issues that you or someone else causes that impact you is a nightmare.
Doesn't GDPR only apply to businesses with more than 250 employees? Now that I type this out, does it apply to non-commercial actions at all? Does lemmy.world have even 1 "employee"?
Edit: I really should get better at just googling the questions I have instead of asking a stranger to do it, haha.
Some parts of it don't apply to small businesses but it's mostly about record keeping, and it doesn't matter if you are non-commercial, you still must comply.
My understanding is if you process personal data (which includes things like screen name for the UK) then you need to comply.
Yeah, I realized I was just asking you to google something for me; sorry about that. I didn't know t applied to usernames, though. How is that "personal data"?
No worries!
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-are-identifiers-and-related-factors/
This makes a lot of sense. I was thinking of "personal data" as "something that identifies a specific person" instead.
The problem has not been corrected.
FYI: There is a bug in Lemmy right now where this post will not replicate to peer instances. Because you are only an "admin" of this community and postings are restricted to mods/admins, and other servers won't recognize you as an admin. You can make yourself a mod, but the posting already likely is in retry state. GitHub: https://github.com/LemmyNet/lemmy/issues/3571
I’d just like to say that even with an admin account being compromised (get your shit together @MichelleG (mostly kidding but 2FA fr :P )), lemmy.world still worked well with third party apps, and most importantly: the majority of the fediverse was unimpacted!
Since I only use desktop, I didn't bother to check mobile, thought it was redirecting too.
It WAS fixed but it's back again, was another account compromised?
Confirmed, the defaced content is now back.
Looks like it's MichelleG again, either the hacker was able to reinstate the account or lemmy.world did and it was instantly compromised again.
Should this still be the case:
Not only that, but lemmy.ml has been defederated, and all of the other instances that were previously defederated have had federation restored.
Yup. Just saw that as well.
I'm getting zero posts and comments out of Lemmy.world to my instance since this incident started.
Meta and Zuck sent their best security engineer and this is the best they could do? Shameful 😂
There's still issues going on, sending a message results in the same redirect, and the instance icon has been changed again as well as the instance name.
EDIT: Redirect is back as well.
EDIT2: Attack is still ongoing
Its not the cache. The site is still under attack.
Lol you responded to the person responsible for said attack, fyi
Can you please tell us if you’ve at least enabled 2FA on your account? Have the other admins?
Site is still under attack lol
They got in again. Site image is different than before (earlier hack it was trump, now it's that image of the woods guy), sidebar image is also the woods guy now (idr what it was earlier in the hack but something else), and instead of redirecting to lemon party, it now says "Site has been seized by Reddit for copyright infringment". Also they spelled infringement wrong.
Still happens in incognito mode and with cleared cache, or even a different browser. This is server side.
Opened incognito mode. lemmy.world is still issuing a redirect to: (https://lemmy.world/pictrs/image/7aa772b7-9416-45d1-805b-36ec21be9f66.mp4)
Should I even click that link or is it a bad idea? I’m kinda curious since I haven’t seen any of what’s happening yet since I only use Memmy and it hasn’t been affected by this
I was concerned when I opened my browser and suddenly a few Lemmy tabs prompt me to download this same file multiple times... Saved it and placed the mp4 in a Vm, I need to sleep so I'll pass a look over it when I wake.
There's "Israel" under some unusual bloke with a cigar for the Lemmy world icon...
Edit: don't seem to be having any current issues, looks like people are discussing on Reddit about the situation already. Good luck and stay safe whilst I'm asleep!
I newly joined and this started anew shortly after. It likely got readded.
This is the top left icon for me now, it wasn't 15 mins ago.
Still happening on my side.
Its not the cache. The site is still under attack.
I think you are speaking with the hacker!
That's the hacker you're taking to btw
Opened via incognito as I said. No cache stored. It appears the title of the site change back again. Are you sure you have full access of your account and no one else is on it?
It was fixed for me but it's just started again.
Yea MichelleG's account is likely still compromised.
100%, they're even trolling this post lol
Such as this one. Do not follow any advice from @MichelleG at this time. It is highly likely the original user of the account has not fully regained control.
This user made a terse "status update" post to /m/random on kbin right after this one (with a post language of Afrikaans??), which makes no sense at all. Do not trust any status updates coming from this lemmy.world account.
It is still redirecting for me. and the site is still messed up. so no the problem hasn't been corrected fully.
We seem to be back.
I now see this between
Lemmy.WorldIsrael and the Guy with the Cigar.Anyone else seeing this?
Yes. Hacker is still in.
Saw something about Reddit copyright and haven’t opened the site all day. Something is definitely wrong with main site.
Actually, yeah, checking https://lemmy.world/api/v3/site I still see modified data. Something’s definitely still broken
Your legal page is a lemming
.
Edit - admins are aware. For now, hopefully Lemming J Crabbs attorney at law will do the necessary.
I'm not sure what to make of that, but this might shine some light.
https://lemmy.world/post/1287054
Thanks - see there is post from Admins now. Quick work!
FYI - the issue is affecting other lemmy instances as well, including lemmy.blahaj.zone. Looks like the XSS vulnerability is platform wide.
Why mess with success? "hunter2" is famously secure.
Next level secure: Hunter2!
I saw and the site is still under attack.
Considering that this was/is the account that was compromised, I think it would be more reassuring if it was one of the other admins confirming that the situation has been resolved. Right now we have no proof that this isn't the hacker lying to cover up their misdeeds.
Well, now we know why this post was worded so weirdly. It's pretty obvious when you read it that this does not sound like any official announcements.
I was wondering if admins and mods are required to have 2fa turned on for their accounts? Shouldn’t it be?
One of my posts first had the photo removed, then when it was replaced, the entire post was deleted, right in the middle of the hack, figured i'd like you know
Did this only affect people using web browsers?
No longer getting the "reddit copyright" page on desktop, now it's just an error page :/