3290
Lemmy.world (and some others) were hacked
(lemmy.world)
This Community is intended for posts about the Lemmy.world server by the admins.
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Any support requests are best sent to info@lemmy.world e-mail.
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
Do we have any details on how Michelle's account was compromised? Right now in the GitHub issue about the vulnerability they're clueless about how the custom emoji exploit could be performed without first an already compromised admin account.
EDIT: yeah here's how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
You do NOT need an admin account to do that. Any normal user could have done that.
How? I kept trying it yesterday without any luck, even with manual POST requests. The markdown (at least in the comments) seems to be properly escaped.
I just figured out how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
Yeah, an admin account is absolutely not necessary.
So, simply viewing a comment thread with a maliciously-altered emoji (on an unpatched instance) was enough to compromise your account?
Pretty much. The hacker sent me a DM with the emoji which contained the malicious code. All I did was open and read it. Iโm proud of the team that worked until 2 AM to not only revert the changes, but fix the exploit.
Damn. This is why Adkins should have separate admin tools that aren't part of there main Lemmy usage
yes: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
AlmightySnoo is posting in Github a lot. I'm assuming that the user above has been trying it on the older, unpacked, docker instance.
@AlmightySnoo Correct me if I'm wrong of course.