this post was submitted on 10 Jul 2023
77 points (93.3% liked)

Lemmy

12576 readers
2 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

The Lemmy.world hack made a good opportunity to explore other instances out there. Found one based in my area. Back in action!

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 2 points 1 year ago (1 children)
[โ€“] [email protected] 7 points 1 year ago* (last edited 1 year ago)

From what I have read so far....

XSS injection in custom emojis.
Essentially, custom emojis used by instances could allow a malicious actor to execute arbitrary code on clients that saw the emoji (within the scope of the website).
There is speculation about links and other vectors, but those aren't clear yet. But the successful attacks have been tracked back to emojis.

The emojis aren't federated, so it would only affect users of that instance that viewed the emoji during the attack.

The injected script (as it was being execute as part of the client UI, thus trusted) had access to the client cookies for the instance.
It would steal the JWT tokens stored in the cookies and send them to a 3rd party site.

Tokens of Admins were then used by the attackers to deface the sites.

It's unclear what user data would have been vulnerable during this time - still being investigated.
There is a high likelihood that this is a GDPR reportable incident.

The fix is for admins to delete all custom emojis via the database, then rotate JWT secrets.
Rotating the secrets invalidates all users JWTs, so everyone has to log in again. This also invalidates the stolen JWTs.