Hey everyone, this exploit is present in the custom emoji feature of Lemmy. Because lemdro.id does not use custom emojis, we are not vulnerable at this time.
this post was submitted on 10 Jul 2023
31 points (100.0% liked)
Android
407 readers
5 users here now
The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
🔗Universal Link: !android@lemdro.id
💡Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
📰Our communities below
Rules
-
Stay on topic: All posts should be related to the Android OS or ecosystem.
-
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
-
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
-
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
-
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
-
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
-
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
-
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
-
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
-
No affiliate links: Posting affiliate links is not allowed.
Quick Links
Our Communities
- !askandroid@lemdro.id
- !androidmemes@lemdro.id
- !techkit@lemdro.id
- !google@lemdro.id
- !nothing@lemdro.id
- !googlepixel@lemdro.id
- !xiaomi@lemdro.id
- !sony@lemdro.id
- !samsung@lemdro.id
- !galaxywatch@lemdro.id
- !oneplus@lemdro.id
- !motorola@lemdro.id
- !meta@lemdro.id
- !apple@lemdro.id
- !microsoft@lemdro.id
- !chatgpt@lemdro.id
- !bing@lemdro.id
- !reddit@lemdro.id
Lemmy App List
Chat and More
founded 1 year ago
MODERATORS
Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don't click links (including images) before checking where they are going to send you.
This used an onLoad which isn't generally shown when you hover over a link in a browser. Most people, even devs, aren't going to jump on the console to check every link.
NoScript would probably have helped though.
What kind of terrible markdown editor allows adding onload scripts to images though.. it's insane.
Script kiddies. insert eyeroll emoji here
Here take this: 🙄
Deeply unfortunate that something like this could happen, you always hope that code injection vulnerabilities are found before someone is hacked. With that in mind, this shows the importance of two security principles: always parse and clean user input and don't click links (including images) before checking where they are going to send you.
It’s worse than that. Until Lemmy is more mature, I would reccomend using the lite version of Lemmy, the JS-free version, for sake of client side security. Alternatively, or as an added point of security, the front-ends themselves should implement more sanitazion themselves. I’m willing to spend some free time vulnerability testing, but I would need a dedicated sand-box for that.
In all seriousness, no one is talking about this, but this is the one disadvantage of open source software being developed by volunteers, we don't know exactly how the admin accounts were hacked but the XSS stuff is really basic stuff, none of those fields were sanatised at all, and it makes me concerned what else has been missed, obviously the advantage of open source is in time this stuff can get fixed, but this is what happens when loads of people who aren't experts contribute to a site.
In comparison to sites where there is a fully hired developer team the quality of the code is significantly better. I really hope the passwords were hashed on these instances and the hackers didn't get plain text passwords or anything really bad like this.
One thing and credit to Ernest, as I've contributed there he does very thorough code reviews and his quality of code is very good, its why im confident kbin won't be hacked.
The two main Devs of Lemmy do this full time. They're not hired in a traditional sense, but the project is funded enough for them both to work on it as their full time job. Now, this isn't a problem with open source, I'm a professional software Dev and you would not BELIEVE how many enterprise, proprietary systems are still doing things like building SQL statements by directly concatening strings that come from user input (especially in enterprise software cause, well, who's gonna fuck around with it?). No, this is a problem of having this many eyeballs on you. The tiny little places they slipped up and didn't properly sanitize a user input string was found and exploited. Most proprietary systems do NOT reach this level of user count, and in particular Lemmy attracts a certain more tech-savvy demographic that would've found this sooner or later, malicious or not. Remember, this vulnerability was not just found, somebody was looking for it.
yes and no: there are a couple of schools of thought!
of course, code by a lot of people without proper review is… risky
however, at least it’s able to be reviewed! and in time and with enough eyeballs, hopefully that code will become far more robust. that’s the benefit of transparency: anyone can review any line at any time!
remember: closed-source code as plenty of vulnerabilities too! just if we can’t review it, it’s much harder to work out what they might be… often, closed source vulnerabilities can exist for years without the vendor ever patching them because nobody is calling them out on it… hell, they can even know that their software is actively being exploited and just… not tell anyone
I think you've never worked in software, or even used software, if you think paid close source apps don't have issues like this. They can be worse because they're written by interns and no one there actually cares, they just want their paycheck
I concur that the security behind closed doors I've seen is often non-existent. The incentives are typically stacked against security.
I think it's hilarious that Reddit protesters were redirected to NSFW content, karma is coming around lmfao
Are you the hacker, who did this?💀
What karma? Spez started it by being a liar 🤷♂️ so I say it is natural that people stop supporting him.
Dude's got 44 comments and every single one is a complaint about the reddit protest or protestors. Might just be spez himself lol
I can sense tears and hurt through your, "lmfao"
Did this result in Lemmy.world being defederated from Lemdro.id?
Lemmy.world is back up and the hack is over, but when I view !android@lemdro.id using my lemmy.world account I can't see anything.
EDIT: In case anyone else is having this problem, the issue was my language settings. Despite having “Undetermined” set as a language, that was the problem - I clicked the little “X” to unselect all languages and then saved, and now it’s working again.
I have not de-federated other instances simply because lemdro.id is not vulnerable to this particular exploit
beehaw isn't down, just very slow, which is it's normal state of being if we're being honest
view more: next ›