While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.
As I am told, this was the issue:
- There is an vulnerability which was exploited
- Several people had their JWT cookies leaked, including at least one admin
- Attackers started changing site settings and posting fake announcements etc
Our mitigations:
- We removed the vulnerability
- Deleted all comments and private messages that contained the exploit
- Rotated JWT secret which invalidated all existing cookies
The vulnerability will be fixed by the Lemmy devs.
Details of the vulnerability are here
Many thanks for all that helped, and sorry for any inconvenience caused!
Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).
For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.
That doesn’t surprise me. Especially the “homemade” instances. The documentation is severely lacking and I had to fix lots of stuff in the instructions with try&despair to make my instance run.
There’s not a great focus in security if your application starts with “step 1: install docker”
Thanks for keeping us up dated!
Excellent, thanks for the quick response ruud and admins.
Thanks for the great work. The response time was awesome, considering you were asleep as well.
Good thing we all use randomly generated passwords for every account and always remember to change them every few months.
Thanks for the quick response. Do we know if there was any data leak?
lemmy explorer still acting kinda funny, not sure who is the person in charge to inform
i checked it now and looks okay… https://i.imgur.com/a95CO6o.png
EDIT: i was looking at the wrong page… yeah i still see the same malicious picture on world - https://i.imgur.com/sJYoels.png
i cleared cache still the same lol
Thanks for the transparency.
Here’s a relevant post that talked about this with @[email protected] I think is worth looking into for anyone curious what exactly happened.
https://sh.itjust.works/post/923025
please don’t visit the legal section of the website or anything confirmed compromised if anything.
Passwords were leaked?
Thanks for the work. As a heads up it appears most of the block instances are back however I believe explodingheads is still missing which you may want to confirm.
EDIT: it has been added back to the block list.
Hey how do you check on that?
As of the time of me posting this comment, exploding heads is appearing in my feed with some anti lgbt posts. Idk what’s going on because I’m pretty sure they’re supposed to be defederated currently
Once again, thank you guys for all that you do. As many other people are saying, appreciate the transparency about these things.
deleted by creator
see the GitHub repo, it’s new
Concerns were posted a few days ago, but no POC that used the exact same attack as we saw here. Basically, there were some warnings, and work was underway that would have prevented this, but it was not done fast enough. There is a patch now, that will take a while to roll out, plus a renewed focus on general and related issues.
It’s not fixed yet in the current version
Thanks for the transparency. Was having issues with Lemmy, now seems everything back to normal. Got a question, Just to add an extra layer of security, Do i need to use ToR or VPN with Lemmy ?
This is really good to see such transparency from admins
