While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.
As I am told, this was the issue:
- There is an vulnerability which was exploited
- Several people had their JWT cookies leaked, including at least one admin
- Attackers started changing site settings and posting fake announcements etc
Our mitigations:
- We removed the vulnerability
- Deleted all comments and private messages that contained the exploit
- Rotated JWT secret which invalidated all existing cookies
The vulnerability will be fixed by the Lemmy devs.
Details of the vulnerability are here
Many thanks for all that helped, and sorry for any inconvenience caused!
Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).
For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.
One thing I don’t get. Custom emojis can only be created by an admin, but you’re saying an admin’s account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?
I see you, Imposter.
FYI: I had to clear my lemmy.world cookies in order to be able to successfully log back in.
(This was with Firefox)
(Edit: I also shift-clicked reload, which somebody pointed out does clean the cache for that page, so I also cleaned the cache).
The same thing was required with Vanadium. In the past, issues with the site only required clearing the cache. However, this one requires clearing the cache and cookies.
Clearing cache and cookies alone didn’t work for me, the login button just wasn’t working after I typed the password in. I ended up doing a password reset, opening the reset link in a private/incognito browser window and choosing a new password, and then my new password worked to log me in with my normal browser window.
I didn’t actually clean the cache, only the cookies.
Unless the force reload (i.e. pressing shift + clicking the reload icon) cleans the cache.
I actually tried the most minimal clearing possible (because having to re-login for all the other things in other pages and tabs on the browser is a PITA) and so only cleaned the cookies from the lemmy.world domain and then did a shift-reload of the lemmy.world page only.
Yeah, I think shift + refresh button clears the cache for that page. At least that’s my experience with web development
I had to do the same with chrome. The past week was not enough, so I had to choose to clear all time.
deleted by creator
Despite the fact that Lemmy is a fairly new piece of software, which makes these issues more likely, I am really grateful for it being open source, and I really appreciate this level of transparency.
How do we know that this isn’t a fake announcement as well, trying to give us a sense of security???
Just kidding, thanks for letting us know! Thank god I haven’t been too active the last few days! Can’t afford my credentials being leaked, maybe I should be proactive and change my password anyways.
The hacker appeared to be the reigning (sic) “Spelling Be” champion of South Sudan.
How do we know this post isn’t fake? Perhaps it’s all part of the ruse.
How do we know you’re the real you? This all could be part of the plan!
Congratulations everyone on the quick fix/mitigation!
I had an issue of being logged out of my account and could not log back in, after closing and reopening the site, closing browser, etc until I cleared my cookies, then it let me back in. If that helps anyone.
Likewise. I tried to log in but nothing would happen. I had to clear out my browser cookies first.
I’m just glad the account isn’t gone completely.
I can’t log into my account anymore, this one is a new one I’ve just made. I tried to reset my password but nothing came in the mailbox. I can still see comments and posts from that account though.
It’s this one:
And I don’t know why but I can’t save the profile pic for this account.
Edit: Nvm, I use another email to sign up for Lemmy and forgot about it
You need to delete all cookies for lemmy.world in your browser, then log in again.
nvm, I used my other email for Lemmy and completely forgot about it :v , I can log back in now
I think I fucked up, I check the 2FA on the new account but didn’t click on send 2FA code, now I can’t log back in to edit the comment
edit: I have another tab opened with that account and it’s still fine, I’ve just edited the comment
Excellent, thanks for the quick response ruud and admins.
Is this why I can’t log in on Chrome? I switched to Firefox and it worked.
No. This was during a pretty specific time yesterday night.
What time?
“Rotated JWT secret which invalidated all existing cookies” Could have a lasting effect on some accounts.
deleted by creator
Yah, I noticed my Lemmies auto-corrupted to Lemurs.
I don’t care. I’m keeping it.
Lemurs are cute.
auto-corrupted
Had to re-login in the Connect app
Interesting.
Attackers started changing site settings and posting fake announcements etc
So at least that wasn’t 100% malicious, otherwise they could’ve kept the vuln hidden and just collect data and whatnot.
On the other hand, who cared enough about Lemmy to hack it? Weird.
On the other hand, who cared enough about Lemmy to hack it? Weird.
This one: https://lemmy.world/u/LMAO
Wow … what a loser.
Why those kind of people exist? GET A F"+$+ LIFE
Why those kind of people exist?
Lack of friends compensated with an inflated sense of entitlement.
