multiple lemmy instances are going down to a js injection or admin password hack (sopuli.xyz)

submitted 1 year ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

lemmy.world and lemmy.blahaj.zone got hacked, admins in sopuli.xyz should enforce 2fa for admins and possibly disable/ look into possible injections from the community sidebar

top 13 comments

sorted by: hot top controversial new old

[-] [email protected] 19 points 1 year ago* (last edited 1 year ago)

I just enabled 2-factor authentication because of this. Script-kiddies are not gonna capture this instance!

[-] [email protected] 9 points 1 year ago* (last edited 1 year ago)

It's highly unlikely 2FA is enough to mitigate this kind of an attack. It's a security vulnerability in lemmy itself, and they are stealing your access token instead of trying to log in as you.

edit: People, please, no reason to downvote admin ACKs. Just means they've at least read the message, after that, it's their instance and they'll do as they see fit.

[-] [email protected] 6 points 1 year ago

OK.

[-] [email protected] 3 points 1 year ago

Did Sopuli have any custom emojis enabled? Based on what I read about the hack the vulnerability was linked with those as detailed here.

[-] [email protected] 3 points 1 year ago

Nope, there are no custom emojis.

[-] [email protected] 3 points 1 year ago

Thank you for answering!

[-] [email protected] 1 points 1 year ago

Once this vulnerability gets fixed, I could make a thread to [email protected] about suggesting custom emojis for Sopuli.

[-] [email protected] 7 points 1 year ago

If they're stealing sessions that might not be enough. I saw some other mitigations discussed elsewhere.

[-] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Create new accounts & make them instance admin instead (they have to make a local comment to be made admin). Then remove your "browsing" accounts from admin group until patched.

[-] [email protected] 9 points 1 year ago

So there's no risks for regular users if they get hacked? Asking for learning purposes.

[-] [email protected] 4 points 1 year ago

Depends on the exploit really, but if they have admin access they have access to the info in your profile, so probably know your email address. I don't know enough about the backend infra to be sure, but I doubt Lemmy stores passwords in plain text in DBs, etc. and although they have admin access, they probably don't have access to the DB (again, a bit unfamiliar with all possibilities, but typically the DB is on a separate container/host/service independant of the frontend).

Does anyone have a link for details on the hack/exploit?

[-] [email protected] 4 points 1 year ago* (last edited 1 year ago)

https://github.com/LemmyNet/lemmy-ui/pull/1897

Stealing instance admin auth tokens via cross site injection into custom emoji title.

[-] [email protected] 1 points 1 year ago

Thanks for the explanation!

load more comments

this post was submitted on 10 Jul 2023

53 points (100.0% liked)

Sopuli's Default Community

1258 readers

1 users here now

Community for all jibber-jabber. As this is a hard-coded community for every instance, we may get this doing something useful.

Simple test posts to [email protected]

Meta-discussion regarding the instance and support in problem situations [email protected]

Yhteisö kaikenlaiselle pälätykselle. Koska tämä on kovakoodattu yhteisö jokaiselle instanssille, voimme tehdä tällä ehkä jotain hyödyllistä.

Yksinkertaiset testiviestit mielellään [email protected]

Instanssia koskeva metakeskustelu ja tuki ongelmatilanteissa [email protected]

founded 3 years ago

MODERATORS

[email protected]