Lemmy.world (and some others) were hacked

While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.

As I am told, this was the issue:

  • There is an vulnerability which was exploited
  • Several people had their JWT cookies leaked, including at least one admin
  • Attackers started changing site settings and posting fake announcements etc

Our mitigations:

  • We removed the vulnerability
  • Deleted all comments and private messages that contained the exploit
  • Rotated JWT secret which invalidated all existing cookies

The vulnerability will be fixed by the Lemmy devs.

Details of the vulnerability are here

Many thanks for all that helped, and sorry for any inconvenience caused!

UpdateWhile we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).

For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.

CaptainProton,

Occasional cookie deletions I understand, but will sign-ins persist in the future?

TheFonz,

Seem to have a hard time loging in

luffyuk,

I’ve been struggling to login this morning.

hacktheegg,

Huh, i think i got lucky by forgetting that there is something i can consume other than youtube

dorumon,
@dorumon@lemmy.world avatar

Well that’s just great it really is a shame though how some people would actively want to ruin something free like this just because they can.

luffyuk,

“Some people just want to watch the world burn”

On a positive note. It’s much better that these things happen and vulnerabilities are discovered while we’re still a small-ish community.

CoffeeJunkie,

I was unable to log in, it looped me & said I logged in, but did not. I read this post, cleared my cache, and I was able to log in (and change my password).

avocado,

Test

MattGade,

I couldn’t login last weekend, couldn’t that be te reason

PolarBone,

I’ve been unable to login on desktop since this happened. Only been able to login via Memmy on IOS.

I put in my info and it kicks me back to the front page and doesn’t log me in.

I’ve tried clearing cache too

EDIT: Switching browser to Edge seemed to let me. Weird. Even reinstalled Firefox and still won’t let me.

subash,

cool

Logical,

Thanks for the update. Can you update us on whether or not you are planning to block threads.net?

subash,

cool

zaggynl,

That explains why I had to clear my browser cache, I was unable to login until I did.

aussiematt,

It seems there is no way in Lemmy to invalidate all your session cookies? Without that, how can you secure an account which has a stolen session cookie?

ruud,
@ruud@lemmy.world avatar

The ‘secret’ in the database was changed, causing all existing cookies to become invalid.

aussiematt,

Very good. I think a feature where a user can revoke all their cookie sessions is still worthwhile, and maybe I’ll look at raising a feature request for that, but it is good to know that cookies stolen during the recent hack have already been addressed.

wazoobonkerbrain,

IMPORTANT ANNOUNCEMENT: My account was not among those hacked. Any random bullshit appearing in my post/comment history was written by me.

evlogii,

🤣

Powof,

That’s something a hacker would say.

pascal,

That doesn’t surprise me. Especially the “homemade” instances. The documentation is severely lacking and I had to fix lots of stuff in the instructions with try&despair to make my instance run.

There’s not a great focus in security if your application starts with “step 1: install docker”

shadycomposer,

people often assume if they run their own instances it will be more secure. from one perspective it’s true: everything is in your own hands; from the other perspective, they are rarely capable of doing it correctly.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • lemmyworld@lemmy.world
  • mdbf
  • DreamBathrooms
  • cisconetworking
  • magazineikmin
  • InstantRegret
  • everett
  • thenastyranch
  • Youngstown
  • rosin
  • slotface
  • khanakhh
  • Durango
  • kavyap
  • ethstaker
  • megavids
  • anitta
  • modclub
  • osvaldo12
  • normalnudes
  • ngwrru68w68
  • GTA5RPClips
  • tacticalgear
  • provamag3
  • tester
  • Leos
  • cubers
  • JUstTest
  • lostlight
  • All magazines
    •