this post was submitted on 10 Jul 2023
197 points (98.5% liked)

Memmy - An iOS client for Lemmy

5074 readers
1 users here now

Download on the App Store

View on GitHub

Join the Discord

Code of Conduct

founded 1 year ago
MODERATORS
 

Note

This information is based off of early reports I have seen. I don't claim to know the extent to which any damage was done and as such recommend a password reset (two-factor authentication would not be of use if authentication tokens were compromised), but we do know that this was a Javascript injection.

Update

As of right now, it seems that the vulnerability should have only exposed JWTs, which have been invalidated by those instance administrators. I'd still recommend a password rotation just because, but you should be alright.

==========

With the recent Lemmy.world incident, I'd like to update you all. This vulnerability could not have affected you had you been using only Memmy while browsing. It was a Javascript injection, and as Memmy does not execute any Javascript, there is no attack surface here.

The only case where this could have affected you would be if you had been signed in to your account inside of the in-app browser or the default browser and opened one of these posts. That however would not be something with Memmy itself, but rather the accessing of the PWA.

Regardless, as we don't actually know what happened, I'd recommend changing passwords. If any JWTs were compromised during this, regardless of 2FA status these tokens could be used to authenticate with your account.

From what I have seen, this was an issue that was limited to Lemmy.world, as supposedly they were running a custom frontend build. Other than that, I don't know anything else.

Also, for the record, there is only one instance in this application where a webview is used, which is when viewing the terms of service which simply loads a local file from the app assets.

Any questions, I'll try to answer them but you'd be better off asking people more knowledgeable about the incident.

As always, this is a good time to go over your online security practices.

It is strongly recommended that you use a password manager such as Bitwarden or 1Password if you do not use one already. This can help prevent credential surfing if you have used the same password over many sites, preventing you from having several of your accounts breached from a single breach.

If you have used a password on Lemmy.world that you have used on other sites, you should change those other sites passwords immediately.

Email addresses may have been breached during the attack and this may result in increased spam and phishing emails. It is strongly advised that you throughly verify any emails that you receive after this, particularly ones relating to login requests, messages from banks or payment providers, such as PayPal or government institutions.

Thank you for using Memmy and stay safe!

top 42 comments
sorted by: hot top controversial new old
[–] [email protected] 17 points 1 year ago (2 children)

Is the attack ongoing still, or has it been patched?

[–] [email protected] 23 points 1 year ago

I don't have an answer to that. Lemmy.world is offline and lemmy.blahaj.zone is currently displaying a broken YouTube video. Other than that, I know nothing besides the chatter going on in the Lemmy Matrix.

[–] [email protected] 4 points 1 year ago

I think the safest approach right now is to stay off an instance that you have an account on, check for info in threads without being logged in or on instances you don't have an account on and wait until it seems things have been cleared up or your instance can verify that they're ok.

It seems people are zero-ing in on the problem, so it might not take long before instance admins can say whether their instances are fine or not.

[–] [email protected] 11 points 1 year ago* (last edited 1 year ago) (2 children)

As an aside to this, I noticed that I could no longer interact with posts including upvoting etc until logging out and logging back in. As the current version I am using doesn’t seem to have a “log out” button anywhere obvious, I tried changing the password to some nonsense in the “account setting” tab and pressing “save”. Naturally this resulted in an error. Re-entering the correct password again and pressing “save” seems to have fixed it for now.

edit: I just noticed I have to repeat this process every time the memmy app is closed out and re-opened, which is unfortunate.

edit 2: as pointed out by ktgd, afoutopatisa and others, there’s no need to enter nonsense and then your original password again, you can simply hit “save” in your original settings and refresh to achieve the same result

[–] [email protected] 6 points 1 year ago (3 children)

You should be able to click edit on the account and then hit save again. That will regenerate your login token. I didn’t need to touch the password field.

[–] [email protected] 4 points 1 year ago

Thanks for the tip, this worked

I could not figure out how to reset everything inside of Memmy for the longest time

[–] [email protected] 4 points 1 year ago

This needs to be pinned to the top of Memmy community! My Traverse tab was broken and I couldn’t upvote or comment. That’s all I had to do to fix it. Thanks

[–] [email protected] 3 points 1 year ago

Thanks for the tip! Tapping “save” did the trick.

[–] [email protected] 4 points 1 year ago (1 children)

This worked for me, but it is very unintuitive. Would be better to have an explicit logout option.

[–] [email protected] 1 points 1 year ago
[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (4 children)

Update: I was wrong. XSS was indeed the primary attack vector.

XSS was not the primary attack vector, it was just used to deface the site. Given what lemmy.world looks like right now, and how lemmy.blahaj.zone looked like without JS before the admins took back control, it is evident that the hackers were able to take control of the site on a database level. The magnitude and nature of changes are extremely unlikely to have been possible through the Lemmy API.

Password hashes are extremely likely to have been stolen, but luckily Lemmy has sane password storage practices (bcrypt at a difficulty setting of 12) so if your password is decently strong, it's incredibly unlikely to be compromised. Still, changing it is a good idea.

Furthermore, the site's JWT secret is stored in the database, so worrying about tokens is futile, the hackers can generate new ones on-demand. This will be the instances' jobs to sort out after they have taken back control.

[–] [email protected] 15 points 1 year ago (1 children)

Changing password is a good idea.

Changing it NOW is a bad one tho, we don't know what's going on on .world's side.

Unless of course, if we're talking about changing any other sites that use the same password, at which point: One, do that. Two, stop using the same password on more than one site. Time to get a password manager.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

Looks like things are back to normal.

[–] [email protected] 5 points 1 year ago (1 children)

Disagree on database level access. The token stealing code that transmits back to its mothership was injected through comments. I’ve already identified the ones that were propagated to my own instance.

[–] [email protected] 1 points 1 year ago

Hella interesting. Turns out you're right, which makes the damage they've managed to do to lemmy.blahaj.zone kinda crazy. I guess they must have pwned a head admin, because the site was empty, which I assumed couldn't have been done without DB level access.

[–] [email protected] 2 points 1 year ago (1 children)

I wish I knew what any of this meant. I don’t even know how to change my password

[–] [email protected] 3 points 1 year ago

To change your password, go to your profile settings and scroll to the bottom where it says create new password

[–] [email protected] 6 points 1 year ago (3 children)

I feel really stupid but how do you sign out of the app? I also cannot find create a new password like one user said under profile settings

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (3 children)

Don’t create a new password, just change whatever is currently in the password field on your account settings to something random and save it. It should say “invalid login” or something similar. Then just put in your actual password and save it again. That seemed to work for me.

edit: I just noticed I have to repeat this process every time the memmy app is closed out and re-opened, which is unfortunate.

edit 2: as pointed out by afoutopatisa and others, there’s no need to enter nonsense and then your original password again, you can simply hit “save” in your original settings and refresh to achieve the same result

[–] [email protected] 5 points 1 year ago

Same for me, hope this gets addressed soon

[–] [email protected] 3 points 1 year ago

I am hitting the same issue. Only on Memmy though so hopefully this can be resolved quickly.

[–] [email protected] 3 points 1 year ago (1 children)

You don't have to write a new password just hit Save with existing password, it will force a new login

[–] [email protected] 3 points 1 year ago

Very true, thanks for the update

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

You’re not stupid, there is no way to remove an account if you only have one account.

Delete and reinstall the app to logout.

[–] [email protected] 2 points 1 year ago

Thanks a lot

[–] [email protected] 3 points 1 year ago

I think to sign out you have to go to manage accounts and delete your account. The wording is a bit scary but it's just removing your user from memmy. The only issue (it might have just been me) is that the add account button wasn't working, so when I did this I had to reinstall the app to log back in.

[–] [email protected] 3 points 1 year ago

thanks for keeping us safe ❤️

[–] [email protected] 2 points 1 year ago (2 children)

Subscribed communities are not showing.

[–] [email protected] 2 points 1 year ago (1 children)

You need to sign back in. They invalidated all JWTs because of the incident last night. If you just "Edit Account" and enter your password again, you'll be fine.

[–] [email protected] 2 points 1 year ago

I only have one account so I couldn’t re-enter my password. I could hit “save” on the account info and that would fix it until I closed the app and opened it again, then I would have to do the same thing.

I just deleted the app and redownloaded and that seemed to fix it for good.

Thanks!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Ugh, glad this is just a bug. I thought I lost all my subs!

Edit- I changed my password in browser, logged out and logged back in on Memmy and my subscriptions returned.

Additional update- got subs back, but commenting still not working and getting some errors with upvotes.

1 more update- seems like subscriptions disappeared again.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Just wanted to note that some things may be broken due to the invalid JWTs?

I started getting “Not logged in” errors shortly after the JWT reset. I assume because the app was still using the old (now invalid) JWTs. I tried clearing my cache, so the app would request a new (valid) JWT. I’m still getting the error on my lemmy.world accounts.

Next, I decided to try deleting the accounts from my app entirely. But when I try to disable the Push Notifications option prior to deleting, the app freezes on an infinite loading screen.

It may not be a huge issue since the Push Notifications are probably using the old JWTs. But wanted to point it out, since others may be dealing with the same thing.

[–] [email protected] 2 points 1 year ago (1 children)

Oh I had push notifications offline during the whole incident. Let me put them back up.

[–] [email protected] 1 points 1 year ago

🤦‍♂️ Thought it was me doing something wrong.

[–] [email protected] 1 points 1 year ago

I'm going to assume that since my account is on a different instance I'm good for now. I interact with a few lemmy.world communities but just posts/comments.

load more comments
view more: next ›