Critical Vulnerability Exploits Several Lemmy Instances

Lemmy.World and a handful of other Lemmy instances recently experienced an XSS incident which exposed user authentication cookies. The mechanism the exploit hinged on was a bug in Lemmy’s Markdown, allowing hackers to inject malicious javascript. Any part of the site that allowed users to enter markdown was affected. The delivery payloads appear to have been embedded in Custom Emoji, affecting anyone who viewed them in a post at the time.

A screenshot of code injection redirecting to Lemon Party. Credit: Max-P

Many of the affected instances were defaced, covered in offensive materials, or redirected to internet shock sites to harass users.

While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been ‘stolen’ and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).

For this, you would have had to be using at that time, and load a page that had the vulnerability in it.

Ruud, admin of Lemmy.World

A security patch is already available. Admins are encouraged to rotate their JWT secret and remove affected content, so that their instances can continue operating normally.

Sean Tilley

Sean Tilley has been a part of the federated social web for over 15+ years, starting with his experiences with back in 2008. Sean was involved with the Diaspora project as a Community Manager from 2011 to 2013, and helped the project move to a self-governed model. Since then, Sean has continued to study, discuss, and document the evolution of the space and the new platforms that have risen within it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button