1y ago

Lemmy.world (and some others) were hacked

While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.

As I am told, this was the issue:

There is an vulnerability which was exploited
Several people had their JWT cookies leaked, including at least one admin
Attackers started changing site settings and posting fake announcements etc

Our mitigations:

We removed the vulnerability
Deleted all comments and private messages that contained the exploit
Rotated JWT secret which invalidated all existing cookies

The vulnerability will be fixed by the Lemmy devs.

Details of the vulnerability are here

Many thanks for all that helped, and sorry for any inconvenience caused!

Update While we believe the admins accounts were what they were after, it could be that other users accounts were compromised. Your cookie could have been 'stolen' and the hacker could have had access to your account, creating posts and comments under your name, and accessing/changing your settings (which shows your e-mail).

For this, you would have had to be using lemmy.world at that time, and load a page that had the vulnerability in it.

733 comments

Very impressed by how quickly action has been taken by this and other instances to patch the issue.
- Very, seems like great work.
- Hijacking the top comment to say I had problems with logging in to Lemmy.world today and liftoff was failing in odd ways.
  I had to go into my web browser and clear my site cookies for lemmy.world to let me log in there.
  In liftoff I had to go into the app settings in android to clear the cache and then remove and re-add my account for it to be able to log me in. (Press and hold on the account to remove it)
  
  I’m on iOS with the Memmy app. It’s a work in progress that’s officially unfinished so I’m not surprised but it has also been a bit buggy. Doesn’t seem that I can log out without deleting and reinstalling the app so hopefully this doesn’t happen too often XD
  
  thanks for posting this, I wouldn't have figured that out lol
  
  Oh, I was wondering why it was showing me as logged in but wouldn't let me upvote due to not being logged in. Your liftoff psa just cleared that right up for me, thanks!
  
  In liftoff I had to go into the app settings in android to clear the cache and then remove and re-add my account for it to be able to log me in. (Press and hold on the account to remove it)
  Good PSA. It took me a bit to figure it out, the app doesn't make this obvious.
  
  Thank you so much. I was having the same issue with the website and PWA. Clearing site settings worked perfectly.
  
  How have I never thought of comment hijacking?!
- uh, why did you have negative one dislike?
  
  Negative one upvotes would mean that enough people disliked me/another poster to bring my upvote total to zero. (Upvotes and likes are effectively the same thing, it’s just a naming convention). Reddit totals them up and seemingly Lemmy does as well.

I wish hackers would invest their time in clearing credit card debt, deleting hospital fees, or something else that actually serves the public good, instead of hacking ordinary people just trying to get by.
- Deleting hospital fees/debt is very dangerous... In many HUGE regions in the US there's only one hospital and if that hospital suddenly can't pay its bills it could shut down, leaving a whole lot of completely innocent people in a very sad, people-are-dying sort of state.
  In fact, something like this already happened:
  https://www.cbsnews.com/chicago/news/st-maragrets-health-central-illinois-hospital-closing/
  Hospitals are special in that they're often evil organizations (not all though) that are some of the easiest to hack but also provide critical services to the most vulnerable. One should tread lightly. Political solutions are better (hack some politicians that are against healthcare reform instead).
  Clearing credit card debt via hacking is nearly impossible but I agree it would be a much more ethical choice for hackers to target. I used to work for the credit card industry. My unique insider perspective, deep industry knowledge, and personal experience is here to let you know they suck. They are just as evil and unethical and unnecessary as everyone thinks they are! Seriously: If Visa, MasterCard, American Express, and all the lesser players suddenly disappeared the world would be a better place.
  Before that can happen though people need a backup payment method that doesn't go through their systems and no: Cash won't work (there's not enough in circulation and it's dangerous to carry large amounts of it). The credit card companies know this threat exists which is why they lobbied Florida (and probably other states) to outlaw alternative, government-run forms of payment (e.g. central bank currency).
  As soon as people have a widely accepted payment option that doesn't go through Visa and MasterCard's middlemen (e.g. First Data) then hackers can take their gloves off! Until then though... Let's keep the payment infrastructure working, OK? Thanks!
  There's no limit to the amount of good deeds hackers can do though. So let's encourage that! For example, there's plenty of cartels and evil religious organizations (e.g. Taliban, ISIS, Mormon Church, Prosperity Gospel scam artists) that have plenty of money to spare and enormous attack surfaces 👍
  
  Hospitals are special in that they’re often evil organizations
  Just want to state the obvious and say, this is pretty much only the case in the US.
  
  I think the alternative payment systems in the developing countries are actually good. UPI in India is very utilitarian. China also has the wechat thing. I guess the issue with these are that they are not universal and limited to a single country.
- Considering some of the targeted instances and the stuff they left behind, it was likely some nazi.
- “Marty we started this journey together!”
  “It was a prank, Cos’!”
- Ribbit
- clearing credit card debt, deleting hospital fees, or something else that actually serves the public good,
  Inflation does very clearly not serve the public good. That aside, causing havoc in banks and medical institutions would have other unpleasant effects.
  
  How about cleaning the bottom 10%'s debt, with the earings from one week of the top 0.1%?
  
  !badeconomics@lemmy.world

Thanks Ruud for fixing it! Just a reminder guys that If you are using a third party app you need to login again.
- Thank you.
  In case anyone else is having trouble logging in, my password wasn't working so I had to reset it from the website.
  
  So now I can log in via a 3rd party app but not the website (with the new password that I reset via the website.)
  I'm currently posting from the 3rd party app. Digging around to try and find 2FA settings for Lemmy.
- Further 3rd party heads up -- for us nontech refugees:
  If it looks like you are logged in, you may not be. I use Connect, and at your reminder, I clicked my acct and it says I was logged in. I tried to comment that Connect login was working, and my comment didn't show up.
  I tried again, only to see an ”error: not logged in” message pop up.
  Signed out, signed in again manually, and all is well.
  So do a double check, Lemurs. Trust in your actions, not your eyes.
  
  Can confirm. Was like: “Memmy is fine!” — **Narrator:**nope. It was not.
  
  Thanks for the info! Here is my test to see if I'm actually logged in.
- For capable people this is a minor annoyance but whenever there’s an “everyone needs to login again” issue, we will lose mere mortal users. In this case it wasn’t even clear that was needed - I appeared to be logged in but nothing worked. Ordinary users give up over things like this. I’ve seen it happen many times on sites where I had access to the analytics. I hope we regard this as a really bad thing to be avoided at all costs and not a “no big deal, just log in again.” Easy for you, easy for me, many others will just bail.
- Thanks for the heads-up.
- Thank you!
- Thanks for the heads up. I was starting to get frustrated with not being able to upvote/downvote/subscribe/comment, but logging in again seems to have done the trick. Also, this is my first ever comment on Lemmy. Hooray.
  EDIT: for anyone using Memmy on IOS, this might not be the only solution, but it is what worked for me - I didn’t see an option to sign out anywhere, so I went to the account settings and added a new account, putting in the details for my current and only account. Weirdly, this made my account show up as 2 separate accounts, which made the “delete account” button appear. I clicked delete on one of them and was immediately sent to the login screen. I logged back in from there and now things work fine.

what steps are being taken to ensure it doesn't happen again? was any personal data compromised for users?
- Good point, I'll update the post.
  
  Also I am curious, what's the easiest way to currently reach the admins in case this happens again somehow? Two of them on their account have been seemingly inactive for a month and as per your own statement you rarely check your notifications and dms. Is there a discord somewhere for it?
  
  So all our cookies are negated now with the JWT changed, and we just needed to login again? Can attackers have stolen our cookies in order to use our accounts to post as if it was us? I'm sure they were only interested in admin cookies, so most others were "useless" to them? I see nothing wrong with my posts so I should be safe, right?
  
  Nice work on the recovery, especially from a 0-day.

IMPORTANT ANNOUNCEMENT: My account was not among those hacked. Any random bullshit appearing in my post/comment history was written by me.

First - really good summary and sounds like everyone is working hard.
Cross posting the below comment.
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don’t really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why. Edit - from that new information, it sounds like this is a reportable breach.
For a full understanding, it would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented with this exploit.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious. They may not be vulnerable to this, but it is going to be reassuring to know there is good security practice, 2FA protection etc enabled and you have robust procedures in place.
- Thanks for the info. We're looking into this.
- If a valid browser token gets stolen like in this case, then MFA won't do much good because the stolen token will already have been authenticated. Linus Tech Tips experienced the same thing recently, you can check out their channel.
  
  That makes sense, thanks so much - there's a few good explanations here which really help! Would it be right in saying that all affected servers should be logging off all users - some have but not sure if all.
- Out of curiosity, where would the regulators go for a case like this? There's no "company" running it per. se.
  
  It seems the general consensus is GDPR applies even to OSS non company entities, but it would appear that there's very little being done to honor it.
  https://www.zwilnik.com/better-social-media/activitypub-conference-2019/oss-compliance-with-privacy-by-default-and-design/#:~:text=Although%20GDPR%20directly%20applies%20only,sysadmins%2C%20including%20in%20the%20Fediverse.
  This article outlines Fediverse and responsibilities, I think it mostly requires someone to file a lawsuit before there's any action.
  In another case a man had cameras in his back yard that could also see a public area and was fined and forced to move them.
  https://www.termsfeed.com/blog/gdpr-exemptions/
  Mainly it just seems to be fodder to be used in lawsuits to make people comply with others security wishes. Not certain how all that works since cities are covered in public cameras.
  
  I am not sure how a platform like this will work with GDPR - each server will be responsible themselves, but how it works with the flow of data between servers and who the regulators would have cases against - I think that is to be tested at some point.
  
  They will go after a person instead.
- Can 2FA be enabled for all users? I don't see the link to activate it after saving.
  edit
  Yeah, this doesn’t work at all. The apps don’t open links anymore. I tried some github site that reads the link and generates a QR, but the codes don’t work. This is a complete waste of time.
  
  Just reload the settings page after saving and you'll see the activation link. Just now enabled 2FA for my account.
- Just curious if you turn yourself in to police everytime you speeding.
  
  This is not about turning you in, this is about protecting your users who all possibly just became victims of a crime, and for good reasons it's not fully upon you to decide whether the possible consequences of this are serious for those users.
  
  It's more that many people expect those handling their data to be seen to follow the correct procedures and be trusted to handle the data in a fair, transparent, safe and secure way - and in addition to protecting their users, companies are probably encouraged to abide by the regulations because it is very easy for anyone to report where they think action needs to be taken, and regulatory bodies may be more lenient where correct process has been followed.
  If I chance a speeding or parking ticket I can't be fined nearly 20 million pounds, although I wouldn't trust some parking companies not to try it! (I'm not saying that would be the case in this instance.)
  https://gdpr.eu/fines/

Thanks for letting us know - this is the kind of transparency that I wish the world had more of!

So what happened:
Someone posted a post.
The post contained some instruction to display custom emoji.
So far so good.
There is a bug in JavaScript (TypeScript) that runs on client's machine (arbitrary code execution?).
The attacker leveraged the bug to grab victim's JWT (cookie) when the victim visited the page with that post.
The attacker used the grabbed JWTs to log-in as victim (some of them were admins) and do bad stuff on the server.
Am I right?
I'm old-school developer/programmer and it seems that web is peace of sheet. Basic security stuff violated:
User provided content (post using custom emojis) caused havoc when processing (doesn't matter if on server or on client). This is lack of sanitization of user-provided-data.
JavaScript (TypeScript) has access to cookies (and thus JWT). This should be handled by web browser, not JS. In case of log-in, in HTTPS POST request and in case of response of successful log-in, in HTTPS POST response. Then, in case of requesting web page, again, it should be handled in HTTPS GET request. This is lack of using least permissions as possible, JS should not have access to cookies.
How the attacker got those JWTs? JavaScript sent them to him? Web browser sent them to him when requesting resources form his server? This is lack of site isolation, one web page should not have access to other domains, requesting data form them or sending data to them.
The attacker logged-in as admin and caused havoc. Again, this should not be possible, admins should have normal level of access to the site, exactly the same as normal users do. Then, if they want to administer something, they should log-in using separate username + password into separate log-in form and display completely different web page, not allowing them to do the actions normal users can do. You know, separate UI/applications for users and for admins.
Am I right? Correct me if I'm wrong.
Again, web is peace of sheet. This would never happen in desktop/server application. Any of the bullet points above would prevent this from happening. Even if the previous bullet point failed to do its job. Am I too naïve? Maybe.
Marek.

Damn, I go to bed early and I miss everything! Thanks for the quick resolution and transparent disclosure, this place is great!

Thank you for your work 🙏

This is really good to see such transparency from admins

Love the transparency!

Good thing we all use randomly generated passwords for every account and always remember to change them every few months.

Can we get another admin to sign off on this being authentic? In other words, short of a signed GPG signature how do we trust announcements after a breach where admin accounts are compromised?
- Good point. I did post about this on Mastodon @mwadmin@mastodon.world
  
  Thanks for the reply!

So thats why MalwareBytes gave me this message yesterday.
- Wow that's cool. How did malwarebytes know the website was compromised ?
  
  I think it sees that the browser is trying to execute code that is suspicious (the payload of the XSS was pretty obvious).
  
  probably looking for obvious patterns like "onload="... in image and link tags, because an onload event handler would usually never be put in those tags otherwise so the only plausible explanation is that it's a XSS attack
  
  I wish I knew. I tried logging into Lemmy yesterday and I was kept giving this message. I thought it might be relevant and saved this snip. I am only about to post this pic now. I did whitelist Lemmy on Malwarebytes after as well.
- Interestingly, here is a log when browsing Lemmy over the last week or so.
  Believe the derp.foo and .today are both federated instances. Don't know what the other rows are.
  
  Admin of derp.foo here. My best guess is Hetzner gave me an IP that had been used to host a botnet C&C before. As a precaution I switched to a new VPS; please contact me via matrix at @irdc:tchncs.de if the problem persists.

Thanks for the work. As a heads up it appears most of the block instances are back however I believe explodingheads is still missing which you may want to confirm.
EDIT: it has been added back to the block list.
- Hey how do you check on that?
  As of the time of me posting this comment, exploding heads is appearing in my feed with some anti lgbt posts. Idk what’s going on because I’m pretty sure they’re supposed to be defederated currently

the details of the vulnerability are already known now anyway since there's a fix that was proposed on the Lemmy GitHub so I don't think it will hurt others to talk about it
- Could you please link the issue? Thanks!
  
  https://github.com/LemmyNet/lemmy-ui/pull/1897/files found it myself

FYI: I had to clear my lemmy.world cookies in order to be able to successfully log back in.
(This was with Firefox)
(Edit: I also shift-clicked reload, which somebody pointed out does clean the cache for that page, so I also cleaned the cache).

How do we know that this isn't a fake announcement as well, trying to give us a sense of security???
Just kidding, thanks for letting us know! Thank god I haven't been too active the last few days! Can't afford my credentials being leaked, maybe I should be proactive and change my password anyways.

Thank the heavens the meme community stayed safe through this without my daily dose of cybersecurity memes idk how I would function ;)

Do we have any details on how Michelle's account was compromised? Right now in the GitHub issue about the vulnerability they're clueless about how the custom emoji exploit could be performed without first an already compromised admin account.
EDIT: yeah here's how: https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1629326627
You do NOT need an admin account to do that. Any normal user could have done that.

Hopefully with more attention on the source code scary hacks like this doesn’t happen again.

Had to clear my browser catch to log in, Jerboa still shows as not logged in even after logging out which you do by clicking the hamburger menu then click the top banner to change/log out of accounts. This post is a test to see if my account works again via browser lol.
Edit: clearing app data/cache for Jerboa fixed the login issue.
- With Jerboa, try logging in and you'll get this bugged state. Now close the app from your multitasking view, open it up again. If the account shows up, sign out and clear cache. If the account doesn't show up, log in.
  This should make it work right again, at least it worked for me.
- Thanks for this comment, I had to wipe cache and cookies to login on desktop. Wasn't sure what was preventing me from logging in.

One wonders how much spez paid for that hack.

Took me a bit to realize I actually had to log out and log back in on Jerboa since it looked like I was still logged in but some interactions didn't work
- Yeah, I'm not sure what was going on.

Can I ask some possibly dumb questions?
What is JWT?
Was any private user data compromised, and if so will users be informed?
Is there anything regular users can do to avoid their data being compromised? For example, not accessing lemmy on certain web browsers?
Thank you!
- JWT stands for JSON Web Token. It's basically a way for a server (lemmy's) to put a piece of information in your browser in a way that makes sure it come from the server. It (usually) uses some form of digital signature. You can think of it as a note someone gave you with their signature, assuming said signature is very hard/impossible to counterfeit. The next time you see that person, they don't have to remember you, they just have to check the signature. If it is valid, anything written on the note is taken at face value.
  When you connect to a site, there are a few steps to validate that you are who you say you are (identification and authentication). Something like inputing you login/password. Since it would be tedious to do that on every requests, the first time you give your login/password to the server (this is the simplified version, this exchange is a bit more complex usually) the server gives you that JWT. For every subsequent requests, your browser automatically send that JWT that is simple to handle but hard to counterfeit, and the server safely knows that you're whoever is written in that JWT.
  I assume there will be a post here when more details are known, or that this post itself will be updated. As with any online service, it's up to the service to decide if they want to communicate. (it may also be a legal requirements in some places to tell user when such an event occurs). Since we're talking about obtaining other user's authentication token including an admin, it is safe to assume that whatever an admin can see has leaked. This can range from basic user informations to more private stuff, although I am not familiar with the software behind lemmy. Note that this is a worst-case scenario; an admin impersonator could have access to anything an admin could see, it does not mean they immediately dumped everything. It depends on their motivation.
  Protection against this kind of stuff Compromission of the JWT can happen in many ways and I don't know which way was used. But if there's a flaw in the software used (the lemmy's client-side code, for example) there is not much you can do. JWT can leak through many things :
  server compromission (out of your control)
  client-side compromission (only happens when using a browser; applications that uses API should be less susceptible to that)
  vulnerable extension: if you have browser extensions, they can easily peek into what's happening in any given page (that's their whole purpose). Malicious extensions, or extensions that allow outsider's some kind of control over them can leak data
  browser vulnerability: keep your browser up-to-date, and (this is controversial) stick to a family of well-enough known browser. That obscure browser that have 20 users worldwide and is based on a three years old version of chromium is not the best thing to use
  keep your data safe: only put the minimum required amount of data on any service. For lemmy, I assume an email address and your login/password is the bare minimum (well the email is already extra, but it's very convenient to have). Some services really likes to get everything they can out of you.
  Basically, stay up to date and don't use shady stuff. Easy to say, I know.
  
  This is great thank you!
  
  This answered all of my questions and really helped me understand what happened, thank you so much for having the patience to walk me through it!
  It sounds like using apps to access Lemmy is more secure than signing in on your mobile browser (which is what I'm currently doing.)
  I tried a couple apps last week but didn't like them, I think I'll revisit that today.
  Thanks again!
- 1 - jwt is the authentication cookie u get when u sign in with ur password, ur browser stores the jwt and then any further interaction authenticates using it
  2 - yes, userscripts, extensions, custom frontends, apps, all apps have access to jwt
  
  2 - yes, userscripts, extensions, custom frontends, apps, all apps have access to jwt
  HttpOnly flag not being set? That would protect against userscript, web apps, and extensions without extended permissions being able to access it.

You guys really have my highest respect for spending so much time to keep this running, despite all the recent trouble and now even an attack.
Thank you very much <3 You guys are awesome and I really appreciate how publicly you deal with this.

I think this is a strong reminder: We shouldn't put all our eggs in one basket. This will happen again. Unlike Reddit, we don't need to concentrate all communities on one instance. We should all make an effort to spread out. Some other general use instances are:
https://lemm.ee
https://lemmy.one
https://sh.itjust.works
https://sopuli.xyz
Again, for those new, you can post content to any of these instances and interact with content from other instances at the same time, just like you can send an email from your Gmail account to your ProtonMail account.

That was scary and exciting. Response seems competent and transparent. I ❤️ this place.

So, do we change passwords, esp those who logged on during the attack? (I created this acct right before the attack happened tho.)
- No, passwords weren't compromised
- I think it's good practice to change passwords after an attack no matter what
- So, do we change passwords
  If you don't use a randomly generated password, it's a good idea to change it anyway. Not because of this specific attack but in general. For the longest time the Lemmy software was just a hobby of a very small group of individuals. While the back-end is written in Rust and probably more robust than the PHP code over at Kbin, I don't think a proper security review was ever conducted, so there's a not so small chance there will be some additional growing pains in the somewhat near future.
- According to the admin, no, but changing your password and keeping your data safer is always totally fine to do and you should probably do it every once in a while regardless.

Despite the fact that Lemmy is a fairly new piece of software, which makes these issues more likely, I am really grateful for it being open source, and I really appreciate this level of transparency.

Well done all involved. Sounds like it was caught and mitigated quickly

Thank you for the transparency and swift solution!
- Vulnerability strikes. Open source's lightning response strikes back. Again.
- @nonagonOrc @ruud 👍🏻

Any truth to what I've heard this may have been done by a group we defederated with?

Thanks for fixing and being so open about it

How does this impact those using mobile apps like Jerboa or Liftoff, instead of the website directly?
- Check the pinned post on liftoff community page.
  https://lemmy.world/post/1292303
  As a safety precaution logged-on sessions on many servers have been cancelled and you are required to logon again.
  
  Thanks, I'll do that. Curiously, the lemmy.ml account keeps working, wonder what it depends on.
- as someone who uses the app, extremely little effect from my experience, I didn't notice something was wrong at all until people pointed it out due to how liftoff does the whole sidebar thing for the instance.
  It's still better to change your account password and clear your cache.
- Was wondering this myself. Is there a way for users who where exposed to know about it?
  (Edit) Eg if the exploit was through a post get notified if they saw the post?
  
  apparently they posted it as a weird image or emoji that looked like this:
  
  There is no need to get notified, they didn't steal passwords, just session cookies. Most (all?) servers have invalidated all the user login cookies, but if you are in doubt, just logging out and back in should be enough to get a new cookie.

I just disabled whole "/admin" section on my instance and added nice message 😆

Good job. I don't understand very much of that, so that makes me all the more grateful. Thank you.

The fact that Lemmy is being hacked is a sign Lemmy is becoming big. This is a great thing, but mass adoption should still be refrained from, as we have seen it with reddit and Big Tech platforms.

Thanks for your efforts. I know that Lemmy was put in place rather quickly as a Reddit alternative. But I'm genuinely hopeful that this will be a good alternative.

At least now we can mark off the "disruptive website defacement attack" line on the checklist of (relatively) new website growing pains. Better to have them make lots of noise and get fixed quickly than quietly do sneaky things in the background.

On Liftoff, I had to clear cache and storage in order to log back in. Still having issues with the website on Chrome, which keeps telling me I'm not logged in after clearing cache and logging back in.

Thanks for the transparancy about this.
- Good communication is key to effective incident response. This is a good example of that. Kudos.

The quick fix is much appreciated, thank you and everyone that helped for your hard work!

Could admins sign announcements with a PGP key to mitigate false admin posts and the consequences this might have? Or is this no longer necessary?
- It's probably a good idea to have official announcements be signed, that way it's obvious when they're actually posting officially or if they are compromised.
- What's the difference? JWT is already cryptographically signed, but tokens were stolen. That's the issue.
  
  No one store their PGP private key in cookies, at least I hope so.
  Ideally someone wants to send signed message doesn't store the signing key in their browser, sandbox their browser even.
  
  PGP private keys are harder to steal than JWTs, as they are not generally stored as a long-term cookie but briefly just to sign something. Through XSS (the vulnerability in this case), cookies are relatively easy to steal, but to steal a PGP key would require a more complex script able to steal the key at the time it is loaded in the browser (assuming the signing feature is implemented in the browser). It's a bit more sophisticated, but not totally bulletproof.
- I think the lemmy.world admin posted on his official Mastodon.
  https://mastodon.world/@mwadmin/110688515627268847

One thing I don't get. Custom emojis can only be created by an admin, but you're saying an admin's account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?
- From the fix, I believe the custom emojis were not double checked after a user submits a post. The post data was used to display the emojis, and thus allowing injection.
  The fix now is to search the emojis in the custom emojis list from the backend rather than the user post.

That shit sucks, I'm so sorry. I'm glad you got it under control. Nothing but admiration from me for doing all this hard work.
New code, new challenges. It's a new world out there and largely is pretty great. Thanks again.

Does an admin account have any permissions to view email addresses or data of registered users?
Did MichelleG not have 2FA enabled?
Now that this has happened, it's be worth pushing this issue through as high priority. If HttpOnly was enabled, then an admin takeover would not have been possible.
https://github.com/LemmyNet/lemmy-ui/issues/1252
- The JWT exploit bypasses 2FA requirements. It basically steals your active session and allows a third party to use it.
  
  Good point. I suppose the only way to fix that particular issue to disallow cookie authentications from a new location
- To answer one question, the admins are able to view email addresses I believe. My knowledge comes from "I read it in a comment awhile ago that sounded credible" so I could be wrong.

That doesn't surprise me. Especially the "homemade" instances. The documentation is severely lacking and I had to fix lots of stuff in the instructions with try&despair to make my instance run.
There's not a great focus in security if your application starts with "step 1: install docker"

Thanks for the transparency.

Great lemmies! Thanks for uniting us.

733 comments