multiple lemmy instances are going down to a js injection or admin password hack
lemmy.world and lemmy.blahaj.zone got hacked, admins in sopuli.xyz should enforce 2fa for admins and possibly disable/ look into possible injections from the community sidebar
I just enabled 2-factor authentication because of this. Script-kiddies are not gonna capture this instance!
It's highly unlikely 2FA is enough to mitigate this kind of an attack. It's a security vulnerability in lemmy itself, and they are stealing your access token instead of trying to log in as you.
edit: People, please, no reason to downvote admin ACKs. Just means they've at least read the message, after that, it's their instance and they'll do as they see fit.
OK.
Did Sopuli have any custom emojis enabled? Based on what I read about the hack the vulnerability was linked with those as detailed here.
Nope, there are no custom emojis.
Thank you for answering!
Once this vulnerability gets fixed, I could make a thread to !meta@sopuli.xyz about suggesting custom emojis for Sopuli.
If they're stealing sessions that might not be enough. I saw some other mitigations discussed elsewhere.
Create new accounts & make them instance admin instead (they have to make a local comment to be made admin). Then remove your "browsing" accounts from admin group until patched.
So there's no risks for regular users if they get hacked? Asking for learning purposes.
Depends on the exploit really, but if they have admin access they have access to the info in your profile, so probably know your email address. I don't know enough about the backend infra to be sure, but I doubt Lemmy stores passwords in plain text in DBs, etc. and although they have admin access, they probably don't have access to the DB (again, a bit unfamiliar with all possibilities, but typically the DB is on a separate container/host/service independant of the frontend).
Does anyone have a link for details on the hack/exploit?
https://github.com/LemmyNet/lemmy-ui/pull/1897
Stealing intance admin auth tokens via cross site injection into custom emoji title.
Thanks for the explanation!