Lemmy.world (and some others) were hacked - Feddit UK
feddit.uk
While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this. As I am told, this was the issue: - There is an vulnerability which was exploited - Several people had their JWT cookies leaked, including at least one admin - Attackers started changing site settings and posting fake announcements etc Our mitigations: - We removed the vulnerability - Deleted all comments and private messages that contained the exploit - Rotated JWT secret which invalidated all existing cookies The vulnerability will be fixed by the Lemmy devs. Details of the vulnerability are here [https://lemmy.world/post/1293336] Many thanks for all that helped, and sorry for any inconvenience caused! Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail). For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.

So last night a XSS scripting attack was found on all Lemmy instances. See the lemmy world update here https://feddit.uk/post/453040

What this means is that hackers could inject their own “script” when any user viewed a comment/post that the hackers made. The hackers would then grab your JWT token with the script so they could impersonate that user. (And perform any actions on behalf of the user)

Luckily, it looks like I haven’t been compromised so the site config should all be the same

What has been done about this

I’ve removed any comments or posts which included the script see here https://github.com/LemmyNet/lemmy-ui/issues/1895

I would have removed all custom emojis as well but there was none in our DB, this may potentially mean that this site was not affected. Just in case, I’ve also rotated the JWT tokens so all tokens are now invalid. This means you will have to logout and log back into the instance

Shoutout to @clara@feddit.uk for messaging me about this and bringing it to my attention

  • Digestive_Biscuit
    5·
    1 year ago

    Great job!

    I don’t know if it’s related. Since today when I login to the Jerboa app then try to post or close/reopen the app my account for feddit.uk disappears from the app. I have to keep logging in.

    • SayCyberOnceMore
      2·
      1 year ago

      Just to say, mine seems ok after closing and reopening the app… but I’ll check again later.

    • fakeman_pretendname
      2·
      1 year ago

      You may need to clear the cache and data for Jerboa on your phone first, then log back in.

      • Digestive_Biscuit
        1·
        1 year ago

        Thanks for the tip. I just tried that, didn’t work. So I then I deleted all data and that did! It meant I had to login to all my accounts again but it seems to be working.