Lemmy.world (and some others) were hacked
While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.
As I am told, this was the issue:
- There is an vulnerability which was exploited
- Several people had their JWT cookies leaked, including at least one admin
- Attackers started changing site settings and posting fake announcements etc
Our mitigations:
- We removed the vulnerability
- Deleted all comments and private messages that contained the exploit
- Rotated JWT secret which invalidated all existing cookies
The vulnerability will be fixed by the Lemmy devs.
Details of the vulnerability are here
Many thanks for all that helped, and sorry for any inconvenience caused!
Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been 'stolen' and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).
For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.
Very impressed by how quickly action has been taken by this and other instances to patch the issue.
Very, seems like great work.
Hijacking the top comment to say I had problems with logging in to Lemmy.world today and liftoff was failing in odd ways.
I had to go into my web browser and clear my site cookies for lemmy.world to let me log in there.
In liftoff I had to go into the app settings in android to clear the cache and then remove and re-add my account for it to be able to log me in. (Press and hold on the account to remove it)
I’m on iOS with the Memmy app. It’s a work in progress that’s officially unfinished so I’m not surprised but it has also been a bit buggy. Doesn’t seem that I can log out without deleting and reinstalling the app so hopefully this doesn’t happen too often XD
So I was actually just struggling with that myself, also in the Memmy app in case that isn’t clear
What I did was add my account (again)
There was no warning or anything, and it populated the list with two of me.
At that point, a “delete account” option appeared under both of them. So I guess in normal circumstances, it wants you to keep one account around at all times?
I deleted one of them, and the app basically reinitialized. Both were gone and it showed me the welcome screen.
I logged back in, and now everything is back to normal
I just did edit account and then saved, it seemed to trick it into logging in again (secrets on my instance were also reset).
Ah interesting. I’ve had multiple accounts from the start so it was much easier for me. Just removed my main account and added it back.
Finally I found good instructions, was about to delete and reinstall until I followed this!
Interesting. Definitely could be made clearer, I’ll make a post on the GitHub later about some of my suggestions.
Whoops, glitched double response.
Interesting. Definitely could be made clearer, I’ll make a post on the GitHub later about some of my suggestions.
I did this, but I just didn’t delete either accounts and it worked fine. Idk if it’s detrimental to have two of the same but it worked for me.
I found I didn’t actually have to log out, just go into account settings and reconfirm everything without changing it
No you can. You just remove the account from the accounts list. It’s labeled “delete this account” which is scary but it just removes it from Memmy. You can add it right back and that logs you back in. Not a great experience.
I sure hope this doesn’t happen a lot. This kind of barrier hurts site growth. I’ve managed a lot of large sites and seen a lot of bugs and when everyone gets logged out there is a measurable impact, and some folks never return. Just look at all the comments here saying “thank I didn’t know to do that.” For every one of those there are 100 people going “huh… Lemmy is down… oh well… on to something else…”
Go into account settings, clear your password, re-enter your password, save, go to feed and pull to refresh. That’s what worked for me.
For Memmy, I went to the accounts page in the settings. Click d on my lemmy.world account then to the page where you can change the password then navigated away. That reactivated the account. Maybe we should add a ticket on Memmy’s GitHub about reactivating cookies when there’s an issue. Or at least place à poput to double check credentials or something.
I was I able to upvote anything or subscribe. Seems like uninstalling and reinstalling fixed my issue
thanks for posting this, I wouldn't have figured that out lol
Good PSA. It took me a bit to figure it out, the app doesn't make this obvious.
Oh, I was wondering why it was showing me as logged in but wouldn't let me upvote due to not being logged in. Your liftoff psa just cleared that right up for me, thanks!
How have I never thought of comment hijacking?!
uh, why did you have negative one dislike?
Negative one upvotes would mean that enough people disliked me/another poster to bring my upvote total to zero. (Upvotes and likes are effectively the same thing, it’s just a naming convention). Reddit totals them up and seemingly Lemmy does as well.
huh that's weird (yes I meant negative one downvote), I already know that the total can be either positive or negative, but shouldn't the upvote number and downvote number be either positive or zero? (for now I'll just accept it as a lemmy bug/ inconsistencies between instances)
Nope, just like Reddit it’s a value that ranges between negatives and positives. If I get two thousand upvotes, positive 2k. If I get two thousand downvotes, negative 1999 (because iirc you start with one by default).
Not exactly sure I understood what you meant by “either positive or zero”.
see your comment rn, it has 1 upvote (from yourself by default) and 0 dislike (so it's not shown)
but in the screenshot I sent above you got 287 upvote and minus -1 downvote (making your total 288) which is mathematically correct but seems like an unintended behavior
for example this comment of mine normally have 9 upvote and 2 downvote (which is shown as a positive integer 2, not negative), making my total upvote 7
Just occurred to me that the app I use also shows separate counters. I fooled myself into thinking it was a single counter.
That’s interesting. Remember it’s a very new platform, minor bugs aren’t out of the ordinary.
I wish hackers would invest their time in clearing credit card debt, deleting hospital fees, or something else that actually serves the public good, instead of hacking ordinary people just trying to get by.
Thanks Ruud for fixing it! Just a reminder guys that If you are using a third party app you need to login again.
what steps are being taken to ensure it doesn't happen again? was any personal data compromised for users?
Good point, I'll update the post.
Also I am curious, what's the easiest way to currently reach the admins in case this happens again somehow? Two of them on their account have been seemingly inactive for a month and as per your own statement you rarely check your notifications and dms. Is there a discord somewhere for it?
Mail: [email protected] Mastodon: @[email protected] Matrix: https://matrix.to/#/#lemmy-support-general:discuss.online
Why wasn't there an info on /lemmy-world.statuspage.io ?
I think the admins that were on it didn't think of updating the status page...
Would it be a good idea to have a secondary email not attached to lemmy.world in case of a domain hack?
[email protected]
The mail server records of a domain name do not usually point to the same server as other services like Lemmy.
Domain registrar hack could happen too
So all our cookies are negated now with the JWT changed, and we just needed to login again? Can attackers have stolen our cookies in order to use our accounts to post as if it was us? I'm sure they were only interested in admin cookies, so most others were "useless" to them? I see nothing wrong with my posts so I should be safe, right?
Prior to the JWT secret being rotated, yes, they could have authenticated as you. The tokens are now all invalid and useless
Probably. I had to re-login myself.
If you think they could change your password:
YES, they could.
They could have changed the email => "Forgot PW" and with that you lost ur account.
I think I've lost my account, I clicked Forgot Password and nothing came into my mailbox. This account is the one I made just now.
My old account:
If you see that account post or comment on anything, please report it
Edit: Nvm, I use another email to sign up for Lemmy and forgot about it
Report it directly to Ruud or otherwise he will just delete it.
actually nevermind, I forgot that I use a different email for Lemmy, I can log back in now
It happens to all of us. Additionally, assuming that you've come here recently, there's not much data on it, and it being deleted will not be that much of a big deal.
Nice work on the recovery, especially from a 0-day.
They defaced it with dicks and changed the federation list to be only threads.net. I don't think it was a state sponsored chinese hacking group. :)
I'm ok with the dicks but the threads are TOO FAR!!! shuffles off to the angry done**
Thank you all for staying on top of it.
right after the update we also had most of the serverlist cleared except threads.net (which was the last one added so i assumed it was some bug) – otherwise nothing appears to be touched on this instance tho.
IMPORTANT ANNOUNCEMENT: My account was not among those hacked. Any random bullshit appearing in my post/comment history was written by me.
First - really good summary and sounds like everyone is working hard.
Cross posting the below comment.
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don’t really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why. Edit - from that new information, it sounds like this is a reportable breach.
For a full understanding, it would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented with this exploit.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious. They may not be vulnerable to this, but it is going to be reassuring to know there is good security practice, 2FA protection etc enabled and you have robust procedures in place.
Thanks for the info. We're looking into this.
If a valid browser token gets stolen like in this case, then MFA won't do much good because the stolen token will already have been authenticated. Linus Tech Tips experienced the same thing recently, you can check out their channel.
That makes sense, thanks so much - there's a few good explanations here which really help! Would it be right in saying that all affected servers should be logging off all users - some have but not sure if all.
The fix is to force the use of a new JWT encryption key which--when set--would immediately invalidate all existing user cookies, forcing all users to relogin.
Lemmy has a few weaknesses related to their use of JWT in cookies that need to be addressed... The biggest one being that they use the same secret key for all user cookies (every user should have their own unique session key). I'm pretty sure that if they implemented that the scope of this vulnerability would be drastically reduced (but I haven't looked at the precise mechanism of the vulnerability yet).
They also need to provide tools in the GUI for admins and users to invalidate all issued sessions (cookies) and a mechanism for regularly rotating session secrets (the cookie currently lasts for a year and even if the session token gets regenerated it'll still use the same secret).
They also need to make the expiration times configurable so that security-focused servers can set short expiration times. Related, they need to force the use of unique secrets for every session (even if it's the same user using different devices/apps).
I guess that would depend on the specific case. If you physically went on my computer to steal my token or infected my computer with a virus to do it then we can assume that no other tokens have been compromised. But if the malicious actor has managed to steal tokens from the actual server (which seems to be the case here) and not the client then yes, as the admin I would certainly require that everyone log in again as a safety measure.
Out of curiosity, where would the regulators go for a case like this? There's no "company" running it per. se.
It seems the general consensus is GDPR applies even to OSS non company entities, but it would appear that there's very little being done to honor it.
https://www.zwilnik.com/better-social-media/activitypub-conference-2019/oss-compliance-with-privacy-by-default-and-design/#:~:text=Although%20GDPR%20directly%20applies%20only,sysadmins%2C%20including%20in%20the%20Fediverse.
This article outlines Fediverse and responsibilities, I think it mostly requires someone to file a lawsuit before there's any action.
In another case a man had cameras in his back yard that could also see a public area and was fined and forced to move them.
https://www.termsfeed.com/blog/gdpr-exemptions/
Mainly it just seems to be fodder to be used in lawsuits to make people comply with others security wishes. Not certain how all that works since cities are covered in public cameras.
I am not sure how a platform like this will work with GDPR - each server will be responsible themselves, but how it works with the flow of data between servers and who the regulators would have cases against - I think that is to be tested at some point.
They will go after a person instead.
Can 2FA be enabled for all users? I don't see the link to activate it after saving.
edit
Yeah, this doesn’t work at all. The apps don’t open links anymore. I tried some github site that reads the link and generates a QR, but the codes don’t work. This is a complete waste of time.
Just reload the settings page after saving and you'll see the activation link. Just now enabled 2FA for my account.
Don't log out! Open private tab and try logging in to test that it works. Lemmy uses SHA-256 TOTP digest which may not work correctly with some authenticators, only generating useless codes.
The interface for TOTP need to be greatly improved as well. I made sure that I had two browsers logged in when I did it because the flow is so hinky. Not having a confirmation process was a bit nerve racking.
Yeah, this doesn't work at all. The apps don't open links anymore. I tried some github site that reads the link and generates a QR, but the codes don't work. This is a complete waste of time.
Just curious if you turn yourself in to police everytime you speeding.
This is not about turning you in, this is about protecting your users who all possibly just became victims of a crime, and for good reasons it's not fully upon you to decide whether the possible consequences of this are serious for those users.
It's more that many people expect those handling their data to be seen to follow the correct procedures and be trusted to handle the data in a fair, transparent, safe and secure way - and in addition to protecting their users, companies are probably encouraged to abide by the regulations because it is very easy for anyone to report where they think action needs to be taken, and regulatory bodies may be more lenient where correct process has been followed.
If I chance a speeding or parking ticket I can't be fined nearly 20 million pounds, although I wouldn't trust some parking companies not to try it! (I'm not saying that would be the case in this instance.)
https://gdpr.eu/fines/
Thanks for letting us know - this is the kind of transparency that I wish the world had more of!
So what happened:
Am I right?
I'm old-school developer/programmer and it seems that web is peace of sheet. Basic security stuff violated:
Am I right? Correct me if I'm wrong.
Again, web is peace of sheet. This would never happen in desktop/server application. Any of the bullet points above would prevent this from happening. Even if the previous bullet point failed to do its job. Am I too naïve? Maybe.
Marek.
Damn, I go to bed early and I miss everything! Thanks for the quick resolution and transparent disclosure, this place is great!
Thank you for your work 🙏
This is really good to see such transparency from admins
Love the transparency!
Good thing we all use randomly generated passwords for every account and always remember to change them every few months.
Can we get another admin to sign off on this being authentic? In other words, short of a signed GPG signature how do we trust announcements after a breach where admin accounts are compromised?
Good point. I did post about this on Mastodon @[email protected]
Thanks for the reply!
Don't fall for it. They're also an admin on mastodon.world! :)
Now I don't know who to believe! Is Lemmy even real?
Yes.
Thanks for the work. As a heads up it appears most of the block instances are back however I believe explodingheads is still missing which you may want to confirm.
EDIT: it has been added back to the block list.
Hey how do you check on that?
As of the time of me posting this comment, exploding heads is appearing in my feed with some anti lgbt posts. Idk what’s going on because I’m pretty sure they’re supposed to be defederated currently
So thats why MalwareBytes gave me this message yesterday.
the details of the vulnerability are already known now anyway since there's a fix that was proposed on the Lemmy GitHub so I don't think it will hurt others to talk about it
Could you please link the issue? Thanks!
https://github.com/LemmyNet/lemmy-ui/pull/1897/files found it myself
yup that's the one
what I find weird is that the "fix" still focuses only on the front-end, the issue is still that unescaped HTML is being stored in the database and still trusting the front-end is nuts
I mean, I'm pretty sure that for an XSS attack that's fine. The entire problem is that somebody posts e.g. a comment that contains code that is automatically run in users' browsers. If you make the front end just not execute that code then it's fine. Who cares what's stored in the back end?
I mean, it would still be better to have multiple fail-safes, and they probably should still sanitize text entering the database.
But this is sufficient for a quick fix.
Let me introduce you to my friend, Little Bobby Tables... :)
ALWAYS SANITISE!
I think people are forgetting that it's somewhat obvious the hackers or whomever, I don't really care honestly are Lemmy users considering they did this at night and got into the site so quickly to begin with, they'd have to have been familiar with it to get into it as fast as they did.
If anything everything should be fixed.
For sure it is sufficient for a quick fix. But a Lemmy post can be posted not only on Lemmy but on other front ends (like kbin, mastodon, and many others) and they can suffer from a similar attack due to the backend storing and forwarding the bad content. So, it should not be stored as it is in the backend
I think the main developers are aware of either of them but I'm not sure, haven't seen anyone site admin wise talk about this mess.
This discussion on the original bug report does talk about the back-end needing a fix as well.
The devs are aware
I think it makes sense to escape as close as possible to the context where the data will be used, see https://benhoyt.com/writings/dont-sanitize-do-escape/
Oofof.. That's not suppose how we announce vulnerabilities...
FYI: I had to clear my lemmy.world cookies in order to be able to successfully log back in.
(This was with Firefox)
(Edit: I also shift-clicked reload, which somebody pointed out does clean the cache for that page, so I also cleaned the cache).
Thank the heavens the meme community stayed safe through this without my daily dose of cybersecurity memes idk how I would function ;)
How do we know that this isn't a fake announcement as well, trying to give us a sense of security???
Just kidding, thanks for letting us know! Thank god I haven't been too active the last few days! Can't afford my credentials being leaked, maybe I should be proactive and change my password anyways.
Had to clear my browser catch to log in, Jerboa still shows as not logged in even after logging out which you do by clicking the hamburger menu then click the top banner to change/log out of accounts. This post is a test to see if my account works again via browser lol.
Edit: clearing app data/cache for Jerboa fixed the login issue.
Hopefully with more attention on the source code scary hacks like this doesn’t happen again.
Do we have any details on how Michelle's account was compromised? Right now in the GitHub issue about the vulnerability they're clueless about how the custom emoji exploit could be performed without first an already compromised admin account.
EDIT: yeah here's how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
You do NOT need an admin account to do that. Any normal user could have done that.
Took me a bit to realize I actually had to log out and log back in on Jerboa since it looked like I was still logged in but some interactions didn't work
You guys really have my highest respect for spending so much time to keep this running, despite all the recent trouble and now even an attack.
Thank you very much <3 You guys are awesome and I really appreciate how publicly you deal with this.
Can I ask some possibly dumb questions?
Thank you!
I think this is a strong reminder: We shouldn't put all our eggs in one basket. This will happen again. Unlike Reddit, we don't need to concentrate all communities on one instance. We should all make an effort to spread out. Some other general use instances are:
Again, for those new, you can post content to any of these instances and interact with content from other instances at the same time, just like you can send an email from your Gmail account to your ProtonMail account.
That was scary and exciting. Response seems competent and transparent. I ❤️ this place.
So, do we change passwords, esp those who logged on during the attack? (I created this acct right before the attack happened tho.)
Well done all involved. Sounds like it was caught and mitigated quickly
Despite the fact that Lemmy is a fairly new piece of software, which makes these issues more likely, I am really grateful for it being open source, and I really appreciate this level of transparency.
Thank you for the transparency and swift solution!
Any truth to what I've heard this may have been done by a group we defederated with?
Thanks for fixing and being so open about it
How does this impact those using mobile apps like Jerboa or Liftoff, instead of the website directly?
Check the pinned post on liftoff community page.
https://lemmy.world/post/1292303
As a safety precaution logged-on sessions on many servers have been cancelled and you are required to logon again.
Thanks, I'll do that. Curiously, the lemmy.ml account keeps working, wonder what it depends on.
Probably cause they haven't cancelled the session
as someone who uses the app, extremely little effect from my experience, I didn't notice something was wrong at all until people pointed it out due to how liftoff does the whole sidebar thing for the instance.
It's still better to change your account password and clear your cache.
Was wondering this myself. Is there a way for users who where exposed to know about it?
(Edit) Eg if the exploit was through a post get notified if they saw the post?
apparently they posted it as a weird image or emoji that looked like this:
HOLY SHIT I LUCKED OUT LMAO, I ALMOST CLICKED ON THAT EARLIER
no need for clicking. if you saw it, it did execute code that stole your cookie (atleast on desktop..dunno about how it is in apps). they tried to steal admin accounts wirh that.
There is no need to get notified, they didn't steal passwords, just session cookies. Most (all?) servers have invalidated all the user login cookies, but if you are in doubt, just logging out and back in should be enough to get a new cookie.
I just disabled whole "/admin" section on my instance and added nice message 😆
Good job. I don't understand very much of that, so that makes me all the more grateful. Thank you.
At least now we can mark off the "disruptive website defacement attack" line on the checklist of (relatively) new website growing pains. Better to have them make lots of noise and get fixed quickly than quietly do sneaky things in the background.
Thanks for the transparancy about this.
Thanks for your efforts. I know that Lemmy was put in place rather quickly as a Reddit alternative. But I'm genuinely hopeful that this will be a good alternative.
On Liftoff, I had to clear cache and storage in order to log back in. Still having issues with the website on Chrome, which keeps telling me I'm not logged in after clearing cache and logging back in.
The quick fix is much appreciated, thank you and everyone that helped for your hard work!
Could admins sign announcements with a PGP key to mitigate false admin posts and the consequences this might have? Or is this no longer necessary?
Does an admin account have any permissions to view email addresses or data of registered users?
Did MichelleG not have 2FA enabled?
Now that this has happened, it's be worth pushing this issue through as high priority. If
HttpOnlywas enabled, then an admin takeover would not have been possible.https://github.com/LemmyNet/lemmy-ui/issues/1252
The JWT exploit bypasses 2FA requirements. It basically steals your active session and allows a third party to use it.
Good point. I suppose the only way to fix that particular issue to disallow cookie authentications from a new location
Using proper cookie flags can also mitigate this. I am not sure there is a reason to have the session cookie accessible via JS. HttpOnly flag alone could have helped here.
If by location you mean IP address, the XSS script could also send the IP address of the user to the attacker. Then the attacker could do write operations spoofing that IP. They wouldn't get a response but the write operation would be done anyways.
Maybe doing a 3 way handshake before every administrative action to ensure the IP wasn't spoofed? Idk, I'm not a security person.
User sends IP and JWT + administrative action. I mean, IP is extracted from src addr, not sent.
Server saves the command in a cache with a TTL of 10 seconds. Then sends a randomly generated string to the user. The random string is sent in A HTTP-only same-site cookie to avoid it being read by JS scripts or being sent to external domains.
The user sends it's JWT + randomly generated string cookie back to the server. The server checks the cache. If an action is found, it is executed.
Edit: actually, after thinking about it. If the XSS is not sending the JWT to a remote location but running the attack directly in the victim's browser, there's nothing that can be done. XSS is fucked up.
To answer one question, the admins are able to view email addresses I believe. My knowledge comes from "I read it in a comment awhile ago that sounded credible" so I could be wrong.
One thing I don't get. Custom emojis can only be created by an admin, but you're saying an admin's account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?
From the fix, I believe the custom emojis were not double checked after a user submits a post. The post data was used to display the emojis, and thus allowing injection.
The fix now is to search the emojis in the custom emojis list from the backend rather than the user post.
That doesn't surprise me. Especially the "homemade" instances. The documentation is severely lacking and I had to fix lots of stuff in the instructions with try&despair to make my instance run.
There's not a great focus in security if your application starts with "step 1: install docker"
Great lemmies! Thanks for uniting us.
Thanks for the transparency.
Ugh, people should not go after systems trying to give a free service to the internet. It just ruins everything.
Thanks for the great work. The response time was awesome, considering you were asleep as well.
How do we know you're the real you? This all could be part of the plan!
Yah, I noticed my Lemmies auto-corrupted to Lemurs.
I don't care. I'm keeping it.
Lemurs are cute.
I had to create a new account. I tried enabling 2FA on my main account a week ago, but was never able to generate a token. Now when I try logging in it is asking for my 2FA token. Is there any way to get my account back. I'm a moderator of a community.
Once again, thank you guys for all that you do. As many other people are saying, appreciate the transparency about these things.
Soo it looks like the entry for this instance was also changed on https://lemmyverse.net/ . At least I hope it is the hack
see the GitHub repo, it's new
It's not fixed yet in the current version
Concerns were posted a few days ago, but no POC that used the exact same attack as we saw here. Basically, there were some warnings, and work was underway that would have prevented this, but it was not done fast enough. There is a patch now, that will take a while to roll out, plus a renewed focus on general and related issues.
Amazing how you quickly reacted to this!! Bravo!!
TIP: if you can't login after what happened, clear out your browser cache including ALL cookies, that fixes it (it did for me at least). I believe it's also advisable to change lemmy password.
I can only log in on incognito mode, which makes me think my cookie has been stolen or whatever. So my question is, what should I be doing about that?
I can't log into my account anymore, this one is a new one I've just made. I tried to reset my password but nothing came in the mailbox. I can still see comments and posts from that account though.
It's this one:
And I don't know why but I can't save the profile pic for this account.
Edit: Nvm, I use another email to sign up for Lemmy and forgot about it
This is why I've decided against running my own Lemmy instance. Too much work to have to keep up constantly with updating, too big of an attractive target for attackers.
Pardon the ignorance, but how do I know if I was compromised? what do?
As someone in EU I didn't even realized there was an issue. Well done and great reaction time! Also thank you for the transparency 👑
Interesting.
So at least that wasn't 100% malicious, otherwise they could've kept the vuln hidden and just collect data and whatnot.
On the other hand, who cared enough about Lemmy to hack it? Weird.
This is so sad lmao rip. With any site growing as fast as these instances (because of the Reddit folk) Ig these attacks are to be expected. Hope everyone's accounts and personal info are okay
Well that's just great it really is a shame though how some people would actively want to ruin something free like this just because they can.
Thanks for the transparency. Was having issues with Lemmy, now seems everything back to normal. Got a question, Just to add an extra layer of security, Do i need to use ToR or VPN with Lemmy ?
With the JWT secret rotation, shouldn't everyone be forced to re-login? I'm posting with my existing session without any changes.
FWIW,, I had to re-log
better to re-login i guess
Rock on, Rudd.
Must have been jealous spez
afaik, exploit does not pass through federation. but you should change your password just in case.
it doesn't and probably cannot infect your device
I am still not sure about it, but if a compromised comment reached your instance (through federation) and users in your instances viewed that comment, they have been hacked too.
MAYBE you are safe If your instance has no custom emojis enabled.
Here's a relevant post that talked about this with @[email protected] I think is worth looking into for anyone curious what exactly happened.
https://sh.itjust.works/post/923025
please don't visit the legal section of the website or anything confirmed compromised if anything.
I noticed this morning for a small amount of my posts with pictures, maybe 5-10%, the pictures were deleted or missing. Not sure if this is related to the incident.
Excellent, thanks for the quick response ruud and admins.
Thank you for taking the time to update this :) Hope everything will be sorted out without people being scared. As a layman, was any user data compromised?
Thanks all working again. Had to clear my browser cache in order to login again and had to resign in to memmy too.
I guess its early days for lemmy for incidents like this, fingers crossed something like this doesn't happen again :)
It's a nice reminder that those with the skills but not the bad intentions would be welcome to look through the source code for vulnerabilities and report/patch anything they might find. :)
It seems there is no way in Lemmy to invalidate all your session cookies? Without that, how can you secure an account which has a stolen session cookie?
I wasn't using webpage, I was only using mobile app (Connect). Could my coockie be also stolen that way or was that only possible on webpage?
A lot of images seems to be gone from posts in /c/pics is this related to the hack or the cleanup after?
I heard there was some sort of database rollback to an uncompromised snapshot.
I found this in my private messages, when an attack was happening I messaged the guy “are you ok” and he replied back to me with an image of my own message… I wonder if this was similar to what was done here? Was 8 days ago
Possible that they've had access for days, and different accounts were breached at different times.
No that was something else
Thanks for clarifying 🙏
So that banned troll is back? https://lemmy.world/u/LMAO
Congratulations everyone on the quick fix/mitigation!
Testing… I have to keep trying this because memmy is being a dick.
Poor beehaw.org is still down
Is it possible cookies for other websites were scraped? I was logged in to .world at the time; I have logged out of all accounts, and reset passwords as a precaution, but want to know if I should be on the lookout from this.
No, in general it's not possible because the code in a page cannot access cookies that are bound to other domains. It is only possible if the "other" site misconfigured its own cookies (which is really not likely for stuff you would care about).
I’ve been unable to login on desktop since this happened. Only been able to login via Memmy on IOS.
I put in my info and it kicks me back to the front page and doesn’t log me in.
I’ve tried clearing cache too
EDIT: Switching browser to Edge seemed to let me. Weird. Even reinstalled Firefox and still won't let me.
Thanks for the info, Ruud. I just put in for a monthly donation to you all -- I appreciate you.
What are the risks for people who use Jerboa for Lemmy? I logged put and back in and there doesn't seem to be any issues, so are the app users excluded from this?
Would it be a good idea to force a login if the users IP or device suddenly changes?
Had to re-login in the Connect app
I had an issue of being logged out of my account and could not log back in, after closing and reopening the site, closing browser, etc until I cleared my cookies, then it let me back in. If that helps anyone.
TY to everyone itt who commented on how to fix the 3rd party app issues.
I was panicking when liftoff went wonky
Seem to have a hard time loging in
Passwords were leaked?
I heard that some instances were defaced. Any examples of this? I wasn't online this noon so I never got to see any action.
Thanks for the quick reaction and TRANSPARENCY!!
Um, probably coincidence or a false posi, but malwarebytes is labeling lemmy.
worldtoday as being compromised / malicious when following external links, it's only popped up twice, but here's a slightly redacted log file:-Log Details- Protection Event Date: 7/10/23 Protection Event Time: 1:24 PM
-Software Information- Version: 4.5.33.272 Components Version: 1.0.2069 Update Package Version: 1.0.72209 License: Premium
-System Information- OS: Windows 11 (Build 22621.1928) CPU: x64 File System: NTFS User: System
-Blocked Website Details- Malicious Website: 1 , C:\Program Files\Google\Chrome Beta\Application\chrome.exe, Blocked, -1, -1, 0.0.0, ,
-Website Data- Category: Compromised Domain: lemmy.today
(end)
I hope devs will examine all parts of the code that display content to make sure proper sanitization
That explains why I had to clear my browser cache, I was unable to login until I did.
You guys are quick!
Not too promising, hopefully it's fixed quickly.
Damnit, spez.
I’d like to logout, then log back in, because I can’t upvote / downvote- how do I logout? I can’t seem to find a logout button.
I appreciate the transparency. Hopefully with more eyes on the source code hacks like this will not happen again.
Thank you for your fast answer!
It seems that I lost all my subs. There were not many but still annoying.
E: Still subbed but can't see those in Voyager.
I thought I’d lost mine too, and when I checked the community I wasn’t subbed. I could still view my profile, comments and posts though.
I cleared the cache, then tried to post here and it said I was logged out (even though I could see all my activity except subs). I couldn’t see any way to logout, so I edited my profile and re-entered my password then hit save. That seems to have fixed it, now I can post and my subs are back.
So that was why the logo and name was changed to israel. And for some reason getting redirected to a gif that was from lemmy
Hmm. Liftoff won't let me post but shows logged in and as a newbie be damned if I can find where to log out.
Should I change passwords or no?
May I ask was is the JWS coockinand if it is automatically changed or if we have to change it in a way?
Is a password change advised? How does the JWT cookie and exploit effect apps eg Jerboa?
You will have to login again for those apps. As far as we know, the exploit doesn't allow someone to actually steal your password directly, just the session you were logged into.
However, it is my personal opinion that you should change your password anyway out of an abundance of caution.
Good shit! Thanks for keeping things up and the pretty quick response as well.
Thanks for the quick response! This admin team rules!
Thanks for the post-mortem and the quick fix! Glad you guys around to help battle test Lemmy's code.
Occasional cookie deletions I understand, but will sign-ins persist in the future?
My main is locked up and it sucks, i hope this all gets fixed.
is that why I can't log into my lemmy.world account?
ok not a problem anymore. seems like I just had to clear my cache and it let me log in
I see you, Imposter.
thanks to admin team for resolving that quickly
Thanks to everyone involved for the quick response 👍
This seems way worse than they are making it sound.
Thanks for the update, I appreciate the transparency.
How are you preventing it to happen again until a patch is released from devs?
It's open source, they can just fix it themselves until it's released. :)
👍
Thanks.
Great job everyone! Keep it up! Love the transparency!
Is there a rough time range when it happened? and any news about other big instances like lemmy.ml? Are those safe? Currently they are not on the same version as lemmy.world.
2:11 UTC is my first record of the event taking place, but keep in mind the attacker could have injected code long before without noticeable impacts. There's no way to be completely certain they didn't steal tokens and access accounts before they made themselves known.
Is this why I had to sign in and out of my account on liftoff?
I couldn't comment untill I did that. There may be others!
I had a similar issue where my subscriptions were blank. A logout and re-login fixed it. Thanks.
Is that why Liftoff wasn't loading?
Still unable to log in. Is this everyone or just me?
Thanks for fixing it.
Maybe there needs to be a quick rundown how to actually log out and in on clients, seems you can't with jerboa without just wiping the app, and wefwef, you need to delete all accounts.
I see some instances are throwing server errors
Is this why Jerboa seems to not work any more? It keeps insisting I'm not logged in, when I am, showing me as anonymous, but also showing my profile details, not letting me interact with things, etc... It's been a big problem these past few days making Lemmy unusable :-(
Well done on acting on it so quickly. I think I did see some of the fake announcements you were referring too but were taken down very quickly. Keep up the good work team and thanks for everything you are doing!
Thanks for keeping us up dated!
Is this why I can't log in on Chrome? I switched to Firefox and it worked.
******* This happened to me, one of my posts had it's photo deleted (I didn't delete it), then when I replaced it, the next time I checked the entire post had been deleted.
Huh, i think i got lucky by forgetting that there is something i can consume other than youtube
I lost some of my post history. Is there a data issue that's come from this? Why are my comments gone?
If it is only recent post history, maybe it was purged along with many malicious comments/posts
I know but this was over a week of comments lost.
Because I am obsessed with bugles, any comment or post I make that does not manage to fit bugles in somewhere (because I always have room for bugles) will be an imposter!
Thank you for the transparency and keeping my nefarious bugle consumption private!
One of the reasons I used a throwaway email here.
Thanks for being open about this and quick to fix it!
Is that why I got logged off?
Yes.
Also it looks like some images from posts are kind of gone
Thank you. I’ll be changing my password.
Should apps have logged themselves out?
cool
I couldn't login last weekend, couldn't that be te reason
that is why I got logged off from my account this morning!! impressed by the rapid intervention!! Good job lemmy team!
Thanks for the quick response. Do we know if there was any data leak?
cool
So is it safe to log back in?
Yes
i checked it now and looks okay.. https://i.imgur.com/a95CO6o.png
EDIT: i was looking at the wrong page.. yeah i still see the same malicious picture on world - https://i.imgur.com/sJYoels.png
Had an issue at work not long ago involving stolen tokens and back then it looked as if the token was scraped along with a lot of other web traffic and then about 12 days later they gained access.
Luckily the tokens have been invalidated by updating the secret
Been busy for lemmy team lately hopefully it's not too much
I had to clear jerboa's app data so I could log in again. so strange
Thanks for the update. Can you update us on whether or not you are planning to block threads.net?
Does this have anything to do with the Wefwef app name change?