this post was submitted on 10 Jul 2023
156 points (97.6% liked)

Discussions related to Infosec.pub

1128 readers
1 users here now

founded 1 year ago
MODERATORS
 

Discussion from here: https://lemmy.ml/post/1895271

Relevance: Infosec.pub may wish to consider defederation temporarily.

Temporary fix in place, but instances remain vulnerable. Post: https://lemmy.world/post/1290412

  • UPDATE 2:58 UTC the injected code was removed from the main page, but cleanup efforts are still underway.
  • UPDATE 3:11 UTC situation appears to be under control, but browse with caution.
  • UPDATE 3:35 UTC main page exploited again! Website is unsafe.
  • UPDATE 4:01 UTC reports coming in that other instances are getting owned. One report of comments trying to inject JavaScript into the page.
  • UPDATE 4:13 UTC XSS vulnerability in page sidebar is reported relationship to the event is unknown.
  • UPDATE 7:17 UTC Root cause was identified a while ago.
you are viewing a single comment's thread
view the rest of the comments
[โ€“] faebudo@infosec.pub 5 points 1 year ago* (last edited 1 year ago) (1 children)

According to one of the vuln posts a redirect and cookie stealing code was added as onload js (can even be seen in a screenshot).

Together with the JWT that are valid for a year and non revokable (https://github.com/LemmyNet/lemmy/issues/3364) that means if you logged in or browsed an affected instance while logged in to it the attacker got your account and the only way to get it back is not in your hands but in the instance admins (they have to delete all sessions from the DB).

[โ€“] henfredemars@infosec.pub 2 points 1 year ago* (last edited 1 year ago)

Correct. We don't know for sure what the initial injection was, but they did manage to inject and all the accounts will need their sessions purged maybe force password reset as well.

EDIT: No longer correct -- the injection appears to have been through custom emojis in markdown, see github for details.