this post was submitted on 10 Jul 2023
379 points (97.3% liked)

sh.itjust.works Main Community

7729 readers
1 users here now

Home of the sh.itjust.works instance.

Matrix

founded 1 year ago
MODERATORS
379
submitted 1 year ago* (last edited 1 year ago) by SimplePhysics to c/main
 

If you are a lemmy.world user, log out and log back in to clear cookies!

Last night, lemmy.world was compromised via an XSS vulnerability with custom emoji. Using this vulnerability, attackers took control of an admin account. The site redirected to mp4 files when logged in, and porn sites when not logged in. The issue was resolved by lemmy.world admins soon after it started, but the attacker regained control of the compromised admin account around ten minutes after resolution, redirecting users to the same mp4 files and sites. Soon after that, the site became inaccessable. The issue is currently resolved, and lemmy dev team has been notified of this vulnerability. sh.itjust.works will not be affected, as we do not have any custom emojis. If you own an instance with custom emojis, it is advised to remove these emojis and clear your cookies.

The following is the original post:

PSA: DO NOT ATTEMPT TO ACCESS LEMMY.WORLD, THERE MIGHT BE MALWARE

Lemmy.world member here. I created this account after .world started redirecting me to porn sites and odd mp4 files. We might want to defederate to limit the potential impact. Also, SJW might be affected by the same vulnerabilities as .world, so maybe the admins here should look at that.

Edit: ~~Situation seems to have stabilized. Some site icons aren't loading, but otherwise everything seems stable.~~ Read Edit2

Edit2: ~~HOLY SHIT ITS BACK~~ Read Edit3

Edit3: ~~lemmy.world is now down as of 10:56 PM CST (USA)~~ Read Edit4

Edit4: lemmy.world is now up, but serving an error as of 11:03 CST (USA) See a screenshot of this error. I also got logged out, hopefully it doesn't mean they just wiped the databases lol.

Edit5: Edit4 still applies, but I can now access lemmy.world via Memmy on my phone. Wefwef (Voyager now) does not work, however. Timestamp: 11:34 PM CST (USA)

Edit6: lemmy.world restored. Compromised admin account said something in a weird post. I'm going to bed now, my brain is play-dough rn. Will update you guys tomorrow morning.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

Spez is free to do whatever, but he was such an asshole about it. Especially when he lied about Christian Selig blackmailing him, and when Christian Selig gave the call as proof that he didn't, Spez tried to make him look the bad guy by accusing him of "leaking calls"... he even said before that he wouldn't charge for API in 2023 but then he made an abrupt announcement that he would in ONE MONTH, with high fees. Developers would need time to readjust their app to optimise the use of API calls and one month is not enough. Why can't Spez just be DIRECT that he wants to discontinue 3rd party apps? Why was he so wishy washy and vague instead of actually telling others what the hell he wants? Then he had some sort of fantasy where we are his "serfs"... which is kinda disgusting. Look man, I've only used 3rd party apps for a few months and could return to the official app with no difficulty, but I seriously don't like being under that person. At least on the Fediverse I can choose who my admin is. (Kbin btw)