If you are a lemmy.world user, log out and log back in to clear cookies!
Last night, lemmy.world was compromised via an XSS vulnerability with custom emoji. Using this vulnerability, attackers took control of an admin account. The site redirected to mp4 files when logged in, and porn sites when not logged in. The issue was resolved by lemmy.world admins soon after it started, but the attacker regained control of the compromised admin account around ten minutes after resolution, redirecting users to the same mp4 files and sites. Soon after that, the site became inaccessable. The issue is currently resolved, and lemmy dev team has been notified of this vulnerability. sh.itjust.works will not be affected, as we do not have any custom emojis. If you own an instance with custom emojis, it is advised to remove these emojis and clear your cookies.
The following is the original post:
PSA: DO NOT ATTEMPT TO ACCESS LEMMY.WORLD, THERE MIGHT BE MALWARE
Lemmy.world member here. I created this account after .world started redirecting me to porn sites and odd mp4 files. We might want to defederate to limit the potential impact. Also, SJW might be affected by the same vulnerabilities as .world, so maybe the admins here should look at that.
Edit: ~~Situation seems to have stabilized. Some site icons aren't loading, but otherwise everything seems stable.~~ Read Edit2
Edit2: ~~HOLY SHIT ITS BACK~~ Read Edit3
Edit3: ~~lemmy.world is now down as of 10:56 PM CST (USA)~~ Read Edit4
Edit4: lemmy.world is now up, but serving an error as of 11:03 CST (USA) See a screenshot of this error. I also got logged out, hopefully it doesn't mean they just wiped the databases lol.
Edit5: Edit4 still applies, but I can now access lemmy.world via Memmy on my phone. Wefwef (Voyager now) does not work, however. Timestamp: 11:34 PM CST (USA)
Edit6: lemmy.world restored. Compromised admin account said something in a weird post. I'm going to bed now, my brain is play-dough rn. Will update you guys tomorrow morning.
What impact?
As long as you dont go on lemmy.world, it's not going to redirect you to all the stupid websites.
And I doubt whatever they're posting (if they're posting anything) is getting upvoted, so you won't see it anywhere else.
And where are you getting "malware" from?
People are acting like it's some crazy hack, and not the 4chan rejects from exploding heads finally guessing an admins password a week after they got defederated. And after all that time chasing the mailman, they had no idea what to do when they guessed it
But this does highlight an issue with instances. I doubt the handful of admins know each other. Like, maybe an email, but for the most part if shit like this happens during "off hours" it might be a while before the top admin even knows there's an issue
Could I get hacked or compromised or something just by lurking the website? I didn't notice the Israel stuff until a bit late
Password was randomly generated like 5f.4_0@3j&j so no common passwords