Several Lemmy-powered alternative Reddit sites hacked due to zero-day vulnerability
Lemmy is open source software designed to create standalone news aggregators and discussion forums. Each Lemmy-based site is run by different individuals or organizations, but they are interconnected, allowing users of one site to interact with messages on other servers. There are currently over 1,100 sites with a total of almost 850,000 users.
A few days ago, someone started exploiting a cross-site scripting vulnerability (XSS) associated with displaying custom emoji.
The attacker used the vulnerability to corrupt pages on some popular sites, including Lemmy.world, the most popular site with over 100,000 users.
“Several major Lemmy sites had several user accounts compromised through stolen [JWT] authentication cookies. Some of these cookies were owned by administrators, these administrative cookies were used to deface sites. Vulnerable were only those users who opened pages with malicious content during the incident,” explained the administrators of Lemmy.world.
They added: “The stolen cookies gave attackers access to all private messages and email addresses of affected users.”
It looks like the attacker used the modified pages to redirect users to hateful or shocking content.
Some of Lemmy’s sites were previously shut down when the attack began.
The vulnerability should be fixed, but users have also been advised to change their JWT passwords.