Tf happened to lemmy.world?

Vilian, 10 months ago

if you has account there, maybe, it depends how good is the cryptograph used in the lemmy.world, but if they got hacked, it’s means that others intances can too, so be sure to always have a different password for every account, and this is a rule to every account in the internet(you can use good and secure password manager)

AJ, 10 months ago

Everything can be hacked. In cyber security, it's "when, not if"

elscallr, 10 months ago

Yeah anyone not using randomly generated passwords at this point is just fucking up. I know exactly three of my passwords: the one for my email, the one for my password manager, and the one I'm likely to give out (streaming services and such). The worst anyone can do with the third is cancel my Disney+ or something, and it's really only given to my mom and sisters.

curiosityLynx, 10 months ago

Is salting password hashes so unknown that neither the lemmy devs nor the kbin dev(s?) have implemented it?

elscallr, 10 months ago

Well this was a JWT compromise, I think, but even still people use really bad passwords all the time. A salt is stored with the user record. The salt's job is to invalidate rainbow tables. If you have a collection of a million bad passwords you can check them all salted in a second or two. Obviously that'll depend on the hashing algorithm to an extent.

techno156, 10 months ago

Yes. They got hacked. An admin account got compromised, and the hackers exploited a bug in Lemmy-UI (the web site) that let them do things like redirect users to another site that let them run Javscript. It seems to have let them collect some user tokens from accounts, and access an admin account that way.

NotSteve_, 10 months ago

If there's a bug in the UI that allows this to happen, there's a bug in the backend too. It looks like they're working on both though

0xtero, 10 months ago (edited 10 months ago)

Looks like Lemmy code has a security vulnerability, persistent XSS, that allows injection of Javascript into the sidebar and comments. That allowed the attacker to force load NSFW content even after lemmy.world admins cleaned up the first attack.

There might have also been an admin account compromise at lemmy.world involved. Time will tell if these are related.

Edit: Looks like the injected JS code also steals login tokens from your browser, so that explains the admin compromise. Probably a good idea to not visit Lemmy sites for time being (or block Javascript in your browser, which is always a good idea).

therealpygon, 10 months ago

Gee, who could have thought that allowing html in posts could be bad idea? -Every developer that has ever looked a OWASP.

TheMadIrishman, 10 months ago

Looks like an admin got compromised. They are in the process of cleaning it up.

orientalsniper, 10 months ago

It did :(

JollyTheRancher, 10 months ago

Definitely looks like a hack. I'd imagine the code has an exploit that someone found

Vilian, 10 months ago

maybe?, but wihy others didn’t get hacked at the too?, maybe was social engineering, or the admin got their credentials compromised, we can’t be sure yet

Itty53, 10 months ago

Also just because you've installed an instance and it works doesn't mean job done. Could've been simply settings.

techno156, 10 months ago

Others did get hacked, or are vulnerable to it, but aren't big enough targets?

Beehaw is closed, so they would have had to have an existing account to exploit the same bug (or go through something like Kbin), and Lemmy.world is the biggest Lemmy instance.

greybeard, 10 months ago

Unfortunate if true. Although it is also possible an admin’s account was compromised. Would be far less worrying.

Ragnell, 10 months ago

It was a compromised admin. https://kbin.social/m/main@lemmy.ca/t/168212/Lemmy-world-is-compromised

MadCybertist, 10 months ago

It was an admin account that was compromised. No 2FA was required.