this post was submitted on 10 Jul 2023
5 points (72.7% liked)

Lemmy / Site Discussions

156 readers
1 users here now

Navigation Links:

Got any ideas to make the instance better? Any issue with federating from your home instance? Post it here.

founded 2 years ago
MODERATORS
neshura
ludrol
5
Incident Report XSS Attack on lemmy.world (self.metadiscussions)
submitted 1 year ago by neshura to c/metadiscussions
5 comments fedilink hide all child comments
 

Last night the instance lemmy.world suffered a JavaScript injection attack. The attack set out to steal login cookies of users upon visiting infected threads, primarily targeting admins.

Potentially Affected Data

  • E-Mail address stolen and/or changed (if provided in user settings)
  • Password changed

Mitigations

Malicious comments have been replaced by a removal message. I have deployed the UI hotfix and @ludrol@bookwormstory.social has deleted all Custom Emoji until it is clear whether those are safe to use. Additionally all login sessions have been invalidated as a safety precaution as well, any cookies that were stolen are now rendered useless.

Conclusion

So far it does not seem like this instance was affected.

If you are not using bookwormstory.social and your instance is not on UI Version 0.18.2-rc.1 please be aware that you are likely still at risk of the attack, please check for any announcements of your instance administrators.

Details of the vulnerability are here

top 5 comments
sorted by: hot top controversial new old
[โ€“] SJ_Zero@lemmy.fbxl.net 2 points 1 year ago (1 children)

Jeez, I just upgraded last night. Guess I'll be upgrading again!

[โ€“] neshura 3 points 1 year ago (1 children)

Such is the life of server admins I guess ๐Ÿ˜…

[โ€“] SJ_Zero@lemmy.fbxl.net 2 points 1 year ago

At least it's straightforward to do. At some point I may even automate the process like I have on my other instances.

[โ€“] Deemo@lemmy.fmhy.ml 2 points 1 year ago (1 children)

lemmy.fmhy.ml web ui went down this morning (and is currently down).

Acess via lemmy api using 3rd party apps isn't affected.

Do you think upon ui update lemmy passwsord should be changed? (I use a unique random generated pasword for lemmy).

[โ€“] neshura 2 points 1 year ago* (last edited 1 year ago)

There is no way for the attackers to have gained access to the passwords so no, a new password won't be neccessary.

Edit: if you feel safer that way, you can of course generate a new password but given the password handling as I understand it nothing short of a totally compromised server machine or a keylogger on your end should get your passwords exposed