Lemmy.World and a handful of other Lemmy instances recently experienced an XSS incident which exposed user authentication cookies. The mechanism the exploit hinged on was a bug in Lemmy’s Markdown, allowing hackers to inject malicious javascript. Any part of the site that allowed users to enter markdown was affected. The delivery payloads appear to have been embedded in Custom Emoji, affecting anyone who viewed them in a post at the time.

Many of the affected instances were defaced, covered in offensive materials, or redirected to internet shock sites to harass users.

While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).

For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.

Ruud, admin of Lemmy.World

A security patch is already available. Admins are encouraged to rotate their JWT secret and remove affected content, so that their instances can continue operating normally.

 Share